safedep.io via Reddit

Mini Shai-Hulud hits 314 npm packages in new wave

cybersecurity open source supply-chain npm cybersecurity

Key insights

  • 271 of the 314 compromised packages belong to a single namespace (@antv), suggesting a maintainer-level or token-level credential compromise.
  • This wave targets frontend utility libraries, entirely distinct from wave one's AI infrastructure focus, indicating a systematic multi-sector campaign.
  • echarts-for-react, size-sensor, and timeago.js each carry millions of downstream dependents, amplifying credential-exposure risk across CI pipelines globally.

Why this matters

Supply chain attacks that chain across successive waves — first AI infrastructure tooling, now mainstream frontend libraries — compress the window between discovery and downstream exploitation, leaving large organizations with no safe assumption about which dependency trees are clean. Any team running CI builds against npm without lockfile pinning or provenance verification is now operating under active threat conditions, not theoretical ones. The @antv namespace compromise alone touches virtually every data visualization project in the JavaScript ecosystem, meaning the credential-leak radius spans far beyond teams that have heard of Mini Shai-Hulud.

Summary

A second wave of the Mini Shai-Hulud supply chain campaign has compromised 314 npm packages, with attackers systematically sweeping through the entire @antv data visualization namespace — 271 packages — plus high-traffic libraries echarts-for-react, size-sensor, and timeago.js, all carrying millions of downstream dependents in production frontend environments. The attack pattern has shifted meaningfully from the prior wave, which targeted AI infrastructure tooling at Mistral AI, Guardrails AI, and UiPath. This round goes after frontend utility namespaces, suggesting the campaign isn't opportunistic — it's working through categories of widely-deployed packages methodically. Essentially: (@antv maintainers, echarts-for-react, timeago.js) are the confirmed blast radius, with any CI pipeline pulling these packages potentially leaking credentials. - 271 packages compromised within a single namespace (@antv), indicating the attacker gained control at the maintainer or registry-token level, not package by package. - The prior wave and this wave target non-overlapping ecosystems, pointing to a systematic campaign rather than a targeted one-off. - Developers should treat any credentials in CI environments that ran builds pulling these packages as potentially exposed. Two waves in, the campaign has now touched both AI infrastructure tooling and mainstream frontend libraries — the attack surface is wider than any single team's dependency audit will catch.

Potential risks and opportunities

Risks

  • Organizations running unaudited CI pipelines against these 314 packages may find AWS, GitHub, and cloud provider tokens already exfiltrated, with attacker dwell time potentially dating back weeks before discovery.
  • The @antv ecosystem is embedded in enterprise BI and analytics dashboards across finance and healthcare; any of those production builds pulling compromised versions face regulatory breach-notification obligations if credentials touched patient or financial data environments.
  • If the attacker follows the pattern of escalating waves, a third campaign targeting backend Node.js infrastructure packages (express, fastify, or database adapters) could be underway before the npm ecosystem completes remediation of this wave.

Opportunities

  • Software composition analysis vendors (Snyk, Socket.dev, Chainguard, Endor Labs) can use this incident to accelerate enterprise sales cycles where procurement was stalled on 'theoretical' supply chain risk.
  • npm registry competitors and sigstore-based provenance tools (Sigstore, in-toto, SLSA framework adopters) gain a concrete, high-profile case study to push mandatory publish attestation requirements onto major package registries.
  • Security consultancies and MDR providers specializing in CI/CD forensics face immediate inbound demand from frontend-heavy teams needing credential rotation triage and pipeline audit services.

What we don't know yet

  • How the attacker obtained publish access across 271 @antv packages simultaneously — whether via a stolen registry token, a compromised maintainer account, or an upstream CI secret — has not been confirmed in public reporting as of May 19, 2026.
  • Whether npm / GitHub have revoked the malicious package versions or suspended the responsible publish credentials, and if so when, is not addressed in the source.
  • The full list of injected payload behavior (exfiltration targets, persistence mechanisms, C2 infrastructure) has not been publicly disclosed, making it unclear what credentials were captured and where they were sent.

Originally reported by safedep.io

Read the original article →

Original headline: Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised in New Wave — 271 @antv Packages, echarts-for-react, size-sensor, timeago.js