What is Mini Shai-Hulud npm supply chain attack, and was Microsoft and Socket hit by malware? A new software supply chain attack has affected the npm ecosystem and raised concern across developer and security communities. The attack targeted packages linked to the @antv ecosystem and spread into downstream tools and applications. Security researchers confirmed that hundreds of malicious package versions were published in a short time window. The malware focused on credential theft and propagation through CI/CD pipelines and repositories. Microsoft Defender detected malicious activity, while Socket began investigating the compromised packages. The incident highlights risks in dependency management and automated package updates.
What is Mini Shai-Hulud npm supply chain attack, and was Microsoft and Socket hit by malware?
The Mini Shai-Hulud npm supply chain attack is a malware campaign that used compromised npm accounts to publish infected package versions. These packages spread into many applications through dependencies and CI/CD pipelines. The malware focused on stealing credentials and spreading across repositories. Microsoft confirmed detections through Microsoft Defender, and Socket confirmed investigation of the compromised packages and the large attack wave affecting the @antv ecosystem.
Microsoft confirmed it is investigating an emerging npm supply chain attack targeting antv packages. The incident involves compromised packages, credential theft, and worm-like propagation across repositories and development environments.
What is Mini Shai-Hulud npm supply chain attack?
The Mini Shai-Hulud npm supply chain attack is a worm-like attack that injects credential-stealing code into popular npm packages. The malware runs during installation using a preinstall hook and collects tokens, keys, and configuration files from developer environments. It then uses stolen tokens to publish more infected packages, allowing the attack to spread fast across repositories and software projects.
Was Microsoft and Socket hit by malware?
Microsoft and Socket were not victims of infection but were involved in detection and investigation. Microsoft Defender detected the malicious packages and blocked execution attempts. Socket confirmed that hundreds of packages in the @antv ecosystem were compromised and warned developers to audit dependencies, rotate credentials, and switch to safe versions.
Compromised maintainer account triggered the attack
The attack started after the compromise of an npm maintainer account named atool. Attackers used the account to publish malicious versions of packages used by developers worldwide.
The publishing burst happened within a short time window. Reports show 631 malicious versions across 314 packages were published in about 22 minutes. Other analysis estimates 639 versions across 323 packages. These packages are part of the @antv ecosystem, which supports data visualization, charting, mapping, and React tools.
Because these packages are widely used as dependencies, the attack spread into downstream libraries such as:
This created a large exposure across applications and CI environments.
Malware delivered through npm preinstall hook
The malicious versions contained a byte-identical payload. The payload used an obfuscated Bun script executed during the preinstall hook. This means the malware ran during installation. Developers did not need to use the package for infection. Installing the dependency was enough. The payload size was around 498KB and heavily obfuscated.
Credentials targeted by the payload
The malware was designed to harvest many secret types. These included:
The malware collected more than 20 credential types.
Exfiltration and propagation behavior
Collected data was compressed, encrypted, and sent to the domain:
t.m-kosche[.]com:443
Transport Layer Security validation was disabled. As a fallback method, stolen GitHub tokens were used to create public repositories and upload stolen data. More than 2,500 repositories were found with markers linked to the campaign. The malware also attempted Docker container escape if the host socket was exposed. It tried to run a privileged container with host file system access.
Worm-like spread across repositories
The malware used stolen npm tokens to spread further. It validated tokens through the npm registry API. Then it:
This behavior allowed rapid propagation across repositories.
Microsoft detection and investigation
Microsoft Defender detected the malicious packages as:
These detections blocked credential theft and post-install execution.
Microsoft advised developers to:
Socket investigation confirms wide compromise
Socket reported an active npm supply chain attack affecting hundreds of packages. The attack is tied to the Mini Shai-Hulud campaign. The affected packages include many from the @antv ecosystem and related tools. The popularity of these packages increases downstream exposure. Even a small number of malicious updates can affect many organizations due to automatic dependency updates.
Supply chain Levels for Software Artifacts forgery
The malware abused stolen OIDC tokens to forge SLSA provenance. This allowed attackers to sign artifacts with legitimate certificates in CI environments. The forged provenance made malicious releases look legitimate. The certificate identity belonged to the CI runner. However, the release was not authorized.
TeamPCP and copycat campaigns
Researchers link the campaign to a financially motivated group called TeamPCP. The group released the worm source code publicly as part of a supply chain attack contest. This increased the risk of copycat attacks. Researchers have already found cloned versions of the worm in new npm packages.
Impact on CI/CD and developer ecosystems
The campaign targets CI/CD pipelines, GitHub workflows, and AI coding tool hooks.
Organizations using:
may be exposed to credential theft and further compromise.
Mitigation steps for developers and organizations
Security experts recommend:
The attack shows the risk of trusting dependencies without verification.
FAQs
Q1: What is Mini Shai-Hulud npm supply chain attack?
The Mini Shai-Hulud attack is a malware campaign that infects npm packages using compromised accounts. It steals credentials, spreads through repositories, and targets CI/CD pipelines and cloud environments.
Q2: Was Microsoft and Socket hit by malware?
Microsoft and Socket confirmed investigations and detections. Microsoft Defender detected the malicious packages, while Socket reported widespread compromise of packages linked to the @antv ecosystem.
What is Mini Shai-Hulud npm supply chain attack, and was Microsoft and Socket hit by malware?
The Mini Shai-Hulud npm supply chain attack is a malware campaign that used compromised npm accounts to publish infected package versions. These packages spread into many applications through dependencies and CI/CD pipelines. The malware focused on stealing credentials and spreading across repositories. Microsoft confirmed detections through Microsoft Defender, and Socket confirmed investigation of the compromised packages and the large attack wave affecting the @antv ecosystem.Microsoft confirmed it is investigating an emerging npm supply chain attack targeting antv packages. The incident involves compromised packages, credential theft, and worm-like propagation across repositories and development environments.
What is Mini Shai-Hulud npm supply chain attack?
The Mini Shai-Hulud npm supply chain attack is a worm-like attack that injects credential-stealing code into popular npm packages. The malware runs during installation using a preinstall hook and collects tokens, keys, and configuration files from developer environments. It then uses stolen tokens to publish more infected packages, allowing the attack to spread fast across repositories and software projects.Was Microsoft and Socket hit by malware?
Microsoft and Socket were not victims of infection but were involved in detection and investigation. Microsoft Defender detected the malicious packages and blocked execution attempts. Socket confirmed that hundreds of packages in the @antv ecosystem were compromised and warned developers to audit dependencies, rotate credentials, and switch to safe versions.Compromised maintainer account triggered the attack
The attack started after the compromise of an npm maintainer account named atool. Attackers used the account to publish malicious versions of packages used by developers worldwide.The publishing burst happened within a short time window. Reports show 631 malicious versions across 314 packages were published in about 22 minutes. Other analysis estimates 639 versions across 323 packages. These packages are part of the @antv ecosystem, which supports data visualization, charting, mapping, and React tools.
Because these packages are widely used as dependencies, the attack spread into downstream libraries such as:
- echarts-for-react
- timeago.js
- size-sensor
- canvas-nest.js
This created a large exposure across applications and CI environments.
Malware delivered through npm preinstall hook
The malicious versions contained a byte-identical payload. The payload used an obfuscated Bun script executed during the preinstall hook. This means the malware ran during installation. Developers did not need to use the package for infection. Installing the dependency was enough. The payload size was around 498KB and heavily obfuscated.Credentials targeted by the payload
The malware was designed to harvest many secret types. These included:- GitHub personal access tokens and OIDC tokens
- npm credentials and AWS credentials
- Security Token Service sessions
- SSH keys and Kubernetes configs
- .env and .npmrc files
- Slack tokens and Stripe keys
- Vault tokens and database strings
- Docker authentication and cloud service accounts
The malware collected more than 20 credential types.
Exfiltration and propagation behavior
Collected data was compressed, encrypted, and sent to the domain:t.m-kosche[.]com:443
Transport Layer Security validation was disabled. As a fallback method, stolen GitHub tokens were used to create public repositories and upload stolen data. More than 2,500 repositories were found with markers linked to the campaign. The malware also attempted Docker container escape if the host socket was exposed. It tried to run a privileged container with host file system access.
Worm-like spread across repositories
The malware used stolen npm tokens to spread further. It validated tokens through the npm registry API. Then it:- Enumerated packages owned by the victim
- Downloaded package files
- Injected the malicious payload
- Added a preinstall hook
- Increased package versions
- Republished packages using the victim identity
This behavior allowed rapid propagation across repositories.
Microsoft detection and investigation
Microsoft Defender detected the malicious packages as:- Trojan:AIGen/NPMStealer
- Suspicious Node.js process behavior
- Credential access attempt
These detections blocked credential theft and post-install execution.
Microsoft advised developers to:
- Audit dependencies
- Downgrade to versions before 18 May 2025
- Rotate credentials
- Validate CI pipelines
- Review network logs
Socket investigation confirms wide compromise
Socket reported an active npm supply chain attack affecting hundreds of packages. The attack is tied to the Mini Shai-Hulud campaign. The affected packages include many from the @antv ecosystem and related tools. The popularity of these packages increases downstream exposure. Even a small number of malicious updates can affect many organizations due to automatic dependency updates.Supply chain Levels for Software Artifacts forgery
The malware abused stolen OIDC tokens to forge SLSA provenance. This allowed attackers to sign artifacts with legitimate certificates in CI environments. The forged provenance made malicious releases look legitimate. The certificate identity belonged to the CI runner. However, the release was not authorized.TeamPCP and copycat campaigns
Researchers link the campaign to a financially motivated group called TeamPCP. The group released the worm source code publicly as part of a supply chain attack contest. This increased the risk of copycat attacks. Researchers have already found cloned versions of the worm in new npm packages.Impact on CI/CD and developer ecosystems
The campaign targets CI/CD pipelines, GitHub workflows, and AI coding tool hooks.Organizations using:
- GitHub Actions
- Docker Hub
- VS Code extensions
- Cloud CI runners
may be exposed to credential theft and further compromise.
Mitigation steps for developers and organizations
Security experts recommend:- Rotate credentials immediately
- Enable two-factor authentication
- Audit GitHub repositories for markers
- Switch to safe package versions
- Review build artifacts
- Block the exfiltration domain
The attack shows the risk of trusting dependencies without verification.
FAQs
Q1: What is Mini Shai-Hulud npm supply chain attack?
The Mini Shai-Hulud attack is a malware campaign that infects npm packages using compromised accounts. It steals credentials, spreads through repositories, and targets CI/CD pipelines and cloud environments.
Q2: Was Microsoft and Socket hit by malware?
Microsoft and Socket confirmed investigations and detections. Microsoft Defender detected the malicious packages, while Socket reported widespread compromise of packages linked to the @antv ecosystem.
