Ecosystem Poisoned: Mini Shai-Hulud Worm Hijacks @antv npm Packages to Target CI/CD Pipelines

A massive, fast-moving software supply chain attack has struck the global JavaScript development ecosystem. Over the past 24 hours, Microsoft has detected an aggressive wave of malicious code deployments targeting the @antv Node Package Manager (npm) ecosystem.

By hijacking a high-value maintainer account holding widespread publishing rights, a sophisticated threat actor successfully injected a self-replicating worm into hundreds of data visualization, graphing, and mapping libraries. The intrusion marks a dramatic escalation in the ongoing Mini Shai-Hulud campaign, shifting the battlefield directly into continuous integration and continuous delivery (CI/CD) automated testing environments.

As the Microsoft Threat Intelligence team details in its warning:

“Microsoft has identified an active supply chain attack targeting the @antv node package manager (npm) package ecosystem. A threat actor compromised an @antv maintainer account and published malicious versions of widely used data-visualization packages, resulting in cascading downstream impact.”

The compromised maintainer account held publishing authority over prominent, enterprise-grade open-source charting suites embedded across thousands of corporate dashboards and internal web applications.

Because modern software architectures rely heavily on automated, downstream dependency resolution, the single account breach rippled out instantly into adjacent, highly popular development assets. According to Microsoft, the blast radius rapidly expanded into staple developer libraries:

“The compromise propagated through dependency chains into libraries like echarts-for-react (which has more than 1 million weekly downloads), expanding the blast radius into CI/CD pipelines and cloud workloads across the ecosystem.”

The threat introduces an incredibly sophisticated injection model designed to evade classic file-integrity scanners and static signature definitions.

Every compromised package contains a heavily obfuscated ~499 KB JavaScript file appended directly to the application’s root registry, tied to an automatic installation hook inside the package.json file. The moment a developer pulls down a fresh build, or a cloud-connected CI/CD runner processes a routine container deployment, the code executes silently before the legitimate software payload can step into place.

The underlying threat architecture behaves like an intelligent memory-resident harvester. Once initialized inside a virtual build environment, the malware aggressively interrogates local processes to grab hidden environmental data. Microsoft records the deep, multi-platform harvesting capabilities observed within the payload:

“Key capabilities observed in the payload include multi-platform credential theft (GitHub, Amazon Web Services, HashiCorp Vault, npm, Kubernetes, 1Password), GitHub Action Runner process memory scraping, privilege escalation, dual-channel data exfiltration, and Supply chain Levels for Software Artifacts (SLSA) provenance forgery. These capabilities suggest a deliberate effort to evade analysis and an apparent focus on CI/CD environments.”

By actively executing memory scraping against the running GitHub Action processes, the malware can successfully lift high-value cloud, vault, and development API tokens in raw plaintext before they can be scrubbed or rotated by standard background operations.

To establish complete, long-term survival, Mini Shai-Hulud alters the foundational trust mechanics of open-source distribution systems.

By exploiting cryptographic keys via public Sigstore frameworks, the malware can generate forged SLSA provenance attestations. This clever manipulation tricks development scanners into believing the altered code package is a legitimate, verified build coming straight from an authorized enterprise release channel.

If the malware’s primary encrypted HTTPS command-and-control (C2) network channel encounters firewall blocks, the payload pivots to a fallback routine using stolen developer access keys. It calls out to the public Git Data API to programmatically generate hundreds of unauthorized, public repositories hosted straight out of the victim’s personal or corporate GitHub organization accounts, using these dummy repositories as dead-drop storage lockers to stage serialized stolen secret blocks.

Upon confirming the activity, GitHub intervened to limit the immediate damage across the open-source community. Security teams systematically removed 640 malicious package variants from the public registry while universally invalidating 61,274 granular npm access tokens carrying write permissions and two-factor authentication (2FA) bypass flags to choke out the worm’s propagation loop.

However, because the exfiltration pipeline completes its loops in a matter of minutes, the threat profile remains exceptionally high for impacted development teams.