npm · 2026-05-19 · major
Mini Shai-Hulud Strikes Again — A Hijacked npm Account Pushed 637 Malicious Versions Across 314 AntV-Ecosystem Packages
A hijacked npm maintainer account published 637 malicious versions across 314 packages on May 19, including AntV charting libraries and echarts-for-react. The Bun-based payload harvests cloud credentials and self-propagates via stolen tokens.

A copycat of the Shai-Hulud worm poisoned hundreds of widely-used npm packages in a 22-minute automated burst.
Key specs
| Packages compromised | 314 |
|---|---|
| Malicious versions | 637 |
| Weekly downloads affected | ~16M |
| Attack duration | 22 minutes |
What is it?
Mini Shai-Hulud is a credential-stealing supply-chain campaign that abuses compromised npm maintainer accounts to publish malware-laced package versions. On May 19, 2026 the attacker took over the 'atool' account and pushed 637 malicious versions across 314 packages, many of them AntV charting libraries plus high-traffic dependencies like echarts-for-react, size-sensor, and timeago.js.
How does it work?
Each poisoned package runs a 498KB obfuscated Bun script from a preinstall hook. It scans the build environment for AWS, GCP, Azure, GitHub, npm, SSH, Vault, and Kubernetes credentials plus local password-manager vaults, then exfiltrates them through git commits to public repos and an HTTPS channel disguised as OpenTelemetry traffic. It also injects CI workflows, hijacks AI-agent session hooks, and converts GitHub Actions tokens into npm publish tokens to spread further.
Why does it matter?
The affected packages pull roughly 16 million weekly downloads, so any CI run or developer install during the window could have leaked secrets. Anyone who installed an 'atool' package version dated May 19 should rotate every credential reachable from that build environment and audit their lockfiles.
Who is it for?
JavaScript developers and CI/CD operators
Try it
Audit lockfiles for atool packages dated 2026-05-19 and rotate any exposed credentials