Mini Shai-Hulud Strikes Again: 317 npm Packages Compromised

A compromised npm maintainer account (`atool`) published 637 malicious versions across 317 packages in a 22-minute automated burst on May 19, 2026. High-impact packages include size-sensor (4.2M downloads/month), echarts-for-react (3.8M), and hundreds of @antv scoped packages. The payload is a 498KB obfuscated Bun script matching the Mini Shai-Hulud toolkit used in a prior SAP compromise. Capabilities include full AWS credential chain harvesting, Kubernetes token theft, HashiCorp Vault access, GitHub PAT exfiltration, Docker container escape, CI/CD workflow injection to dump secrets, Sigstore abuse for forged artifact signing, AI agent hijacking (Claude Code, Codex, VS Code), persistent systemd/LaunchAgent GitHub dead-drop C2 backdoor, and lateral infection of local Node.js projects. Exfiltration routes stolen data as Git objects to attacker-created public GitHub repos with Dune-themed names. A redundant payload delivery path exploits GitHub's fork object sharing via orphan commits in antvis/G2, requiring no write access to the target repo. Immediate actions include rotating all credentials accessible from affected build environments, checking for injected AI agent hooks, and removing kitty-monitor persistence daemons.