The Mini Shai-Hulud npm worm campaign has launched a third major wave, this time compromising hundreds of packages in Alibaba's @antv data visualization suite, along with echarts-for-react, timeago.js, and others. The malware injects a preinstall hook into package tarballs that executes at install time, scraping CI/CD secrets, cloud credentials, SSH keys, GitHub tokens, and more. A novel persistence mechanism writes backdoors into VS Code (.vscode/tasks.json) and Claude Code (.claude/settings.json) configs, meaning removing the bad package is not sufficient for cleanup. The worm propagates by stealing npm tokens and republishing compromised versions of all packages the victim account can publish. Over 2,700 rogue GitHub repos have been created using stolen tokens. Fast detection is insufficient because the payload runs before any scanner can flag it; blocking packages by age is recommended as a preventive measure. Detailed IOCs, affected package lists, and remediation steps are provided.
Table of contents
What happenedHow the payload worksWhat the payload stealsWhat changed from the TanStack waveWhy fast detection is not enoughDetection and mitigationIndicators of compromiseConclusionHow Aikido protects against thisAppendix: Affected packages and versionsSort: