A new wave of the Mini Shai-Hulud npm worm has compromised dozens of packages in Alibaba's AntV data visualization ecosystem, including timeago.js (1.5M weekly downloads), echarts-for-react, jest-canvas-mock, and others. The attack exploited the compromised `atool` npm account to publish malicious versions containing a heavily obfuscated JavaScript payload executed via Bun runtime. The payload scrapes GitHub Actions Runner.Worker process memory to extract masked CI/CD secrets in plaintext, harvests credentials from 130+ file paths (AWS, GCP, Azure, Kubernetes, SSH keys, crypto wallets, AI tool configs), and exfiltrates data via a GitHub API dead-drop in the legitimate antvis/G2 repo and a fake OpenTelemetry C2 server at t.m-kosche.com. Over 2,500 public GitHub repositories have been created using stolen tokens, each named with Dune-universe terminology. The payload also drops persistent backdoors into Claude Code and VS Code configurations and injects malicious GitHub Actions workflows. Two delivery mechanisms were used: direct preinstall/postinstall hooks and a sophisticated optionalDependencies git reference to a poisoned commit. Affected users should immediately rotate all credentials, remove persistence artifacts, and pin to safe package versions.
Table of contents
Compromised PakcagesRuntime Analysis with Harden-RunnerExfiltrated Secrets in Public RepositoriesBackground: The atool npm Account and the AntV EcosystemAttack TimelineTwo Delivery MechanismsAttack Flow DiagramPayload AnalysisIndicators of CompromiseAm I Affected?For the Community: Recovery StepsFor StepSecurity Enterprise CustomersSort: