Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages
The "Mini Shai-Hulud" threat actor group has unleashed a widespread, self-propagating npm worm that has successfully compromised hundreds of popular @antv packages, which are widely utilized for data visualization. The malicious payload targets Alibaba's @antv packages, along with popular libraries like echarts-for-react and timeago.js. Once installed, the worm scans the local system to steal CI/CD secrets, configuration files, and authentication keys. Crucially, the worm targets development environments utilizing VS Code and Claude Code, planting persistent backdoors directly into the IDE configurations. After compromising these tools, the worm automatically republishes infected versions of the developer's own packages to the public registry using their cached credentials, rapidly multiplying the infection across the open-source supply chain.Organizations must instantly quarantine all usage of affected @antv, echarts-for-react, and timeago.js modules, purging local package-lock structures and build caches. Developers must carefully inspect their local VS Code settings and Claude Code profiles for unauthorized modifications or persistent scripts. All npm publishing tokens and developer credentials must be revoked immediately, and code signing protocols should be enforced to prevent automated, unauthorized package releases.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.
Related Articles





