A threat group called TeamPCP compromised the 'atool' npm maintainer account and published 637 malicious versions across 323 packages in the @antv data visualization ecosystem in a 22-minute automated burst on May 19, 2026. The malware harvests over 80 types of credentials (AWS, GCP, Azure, GitHub, npm tokens, SSH keys, database strings), exfiltrates them via encrypted channels disguised as OpenTelemetry traces, installs persistent backdoors (Claude Code session hooks, VS Code tasks, systemd/LaunchAgent daemons), and self-propagates by stealing npm publish tokens. A notable technique involves forging Sigstore/SLSA Build Level 3 provenance attestations by abusing GitHub Actions OIDC tokens, demonstrating that valid attestations don't guarantee pipeline integrity. Remediation requires removing persistence mechanisms before revoking tokens, reinstalling with --ignore-scripts, rotating all credentials, and auditing GitHub for injected workflows. This is Wave 5 of the ongoing Mini Shai-Hulud campaign active since September 2025.
Table of contents
TL;DRAffected packagesHow the attack worksImpact analysisDetectionRemediationThe bigger campaign: Shai-Hulud WavesAttack timeline (May 19, 2026, UTC)Snyk coverageSecure your supply chain with SnykSort: