Shai-Hulud Malware Returns in npm Attack, Over 300 @antv Packages Affected
A new wave of Shai-Hulud npm malware has compromised the @antv ecosystem, affecting more than 300 npm packages and creating a major open-source supply chain risk for developers and organizations.
According to OX Security, the campaign targets packages in the @antv namespace and related graphical analysis tools. The firm reported 320+ affected packages, more than 16 million weekly downloads, over 59 million monthly downloads, and 2,100+ GitHub repositories containing stolen credentials linked to the campaign.
What Was Infected?
The attack impacted packages tied to the compromised npm maintainer account atool. SafeDep reported that attackers published 637 malicious versions across 317 packages in a 22-minute automated burst on May 19, 2026.
Technically, the malware modifies package.json by adding a malicious preinstall hook that runs bun run index.js before installation completes. SafeDep also found that 630 of 637 malicious versions injected an optionalDependencies entry pointing to @antv/setup via a GitHub dependency hosted through the legitimate antvis/G2 repository.
The payload is a 498KB obfuscated Bun script that scans developer machines and CI/CD environments for GitHub tokens, npm tokens, AWS keys, SSH keys, Kubernetes tokens, Vault credentials, database strings, and password manager vaults. Stolen data is exfiltrated through public GitHub repositories and encrypted HTTPS requests disguised as OpenTelemetry traffic.
Important Affected Packages
| Package | Compromised Versions | Why It Matters |
|---|---|---|
size-sensor | 1.0.4, 1.1.4, 1.2.4 | High-impact package, around 4.2M monthly downloads |
echarts-for-react | 3.0.7, 3.1.7, 3.2.7 | Popular React wrapper for Apache ECharts |
timeago.js | 4.1.2, 4.2.2 | Widely used date/time formatting library |
canvas-nest.js | 2.1.4, 2.2.4 | Non-@antv package affected in the wave |
@antv/g2 | 5.5.8, 5.6.8 | Core AntV visualization package |
@antv/g6 | 5.2.1, 5.3.1 | Graph visualization package |
@antv/l7 | 2.26.10, 2.27.10 | Mapping/location visualization library |
@antv/x6 | 3.2.7, 3.3.7 | Diagram and graph editing library |
@antv/s2 | 2.8.1, 2.9.1 | Spreadsheet/table visualization package |
@antv/data-set | 0.12.8, 0.13.8 | Data transformation package |
SafeDep’s full list includes 317 affected packages, including major @antv packages such as @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g2plot, @antv/graphin, and @antv/data-set.
Prevention and What to Do Next
Developers should immediately audit package-lock.json, pnpm-lock.yaml, and yarn.lock for affected versions. If a compromised version was installed, rotate all GitHub, npm, cloud, SSH, database, CI/CD, and password manager credentials accessible from the machine or build environment.
Security teams should check GitHub accounts for suspicious public repositories containing the reversed marker string niagA oG eW ereH :duluH-iahS, block t.m-kosche[.]com at DNS/network level, review npm publishing logs, inspect GitHub Actions OIDC activity, and remove suspicious files such as .claude/setup.mjs, .vscode/tasks.json, kitty-monitor, and gh-token-monitor.
To reduce future risk, organizations should pin dependencies, enforce lockfiles, avoid automatic dependency updates in CI, monitor new package releases before adoption, and block unexpected lifecycle scripts such as preinstall in sensitive environments.
No Comment! Be the first one.