A sophisticated npm supply chain campaign dubbed Mini Shai-Hulud has claimed over 600 package versions overnight, with security researchers at Socket and Endor Labs identifying 639 compromised package versions across 323 unique packages in the latest wave.
The bulk of the activity targeted the @antv ecosystem, alongside packages under @lint-md, @openclaw-cn, and @starmind scopes.
Malicious publish activity began at approximately 01:56 UTC on May 19, 2026, continuing until 02:56 UTC.
Socket’s detection systems flagged most activity within 6 to 12 minutes of publication, with a median detection time of 6.7 minutes.
Endor Labs independently observed 42 malicious packages between 01:39 and 02:06 UTC, tracing the campaign’s origin to two long-dormant packages: jest-canvas-mock and size-sensor, neither of which had been published in over three years.
Across the full Mini Shai-Hulud campaign tracked to date, researchers have confirmed 1,055 compromised versions across 502 unique packages, spanning npm (1,048 versions), PyPI (6 versions), and Composer (1 version).
600+ npm Packages Compromised
The injected payload operates at install time via a preinstall lifecycle hook:
json"preinstall": "bun run index.js"
A root-level index.js file, heavily obfuscated using a string-array lookup table and a custom decryptor exposed through globalThis, executes automatically upon package installation.
The payload exfiltrates stolen data to a hardcoded HTTPS endpoint: https://t[.]m-kosche[.]com:443/api/public/otel/v1/traces.
Collected data is gzip-compressed, AES-256-GCM encrypted, and the AES key is wrapped with RSA-OAEP/SHA-256 before transmission — a layered approach designed to prevent plaintext recovery from network telemetry.
The payload aggressively targets developer and CI/CD environments, harvesting:
- GitHub tokens, npm tokens, and AWS credentials (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN) - Kubernetes service account material (
KUBECONFIG,KUBERNETES_SERVICE_HOST) - Vault tokens (
VAULT_TOKEN,VAULT_AUTH_TOKEN) - SSH/private keys, Docker auth files, and database connection strings
The malware contains explicit logic for 18+ CI/CD platforms, including GitHub Actions, GitLab CI, CircleCI, Jenkins, Azure DevOps, AWS CodeBuild, Vercel, Netlify, and Cloudflare Pages.
If a usable GitHub token is obtained, the payload creates repositories under the victim’s account and commits stolen data into a results/results-<timestamp>-<counter>.json path.
Public GitHub searches currently reveal approximately 1,900 attacker-created repositories using the reversed campaign marker niagA oG eW ereH :duluH-iahS (decoding to “Shai-Hulud: Here We Go Again”) with Dune-themed repository names such as sayyadina-stillsuit-852 and atreides-ornithopter-112. The repository Zaynex/sayyadina-stillsuit-852 has been confirmed as an active exfiltration staging repo.
The worm also abuses stolen npm tokens to enumerate maintainable packages, inject the payload, bump version numbers, and republish, enabling self-propagation across the npm ecosystem under legitimate maintainer identities.
Endor Labs highlighted three novel behaviors in this wave:
- Sigstore abuse: The worm now calls Fulcio and Rekor at runtime to obtain valid signing certificates and transparency log entries, causing provenance tooling to display a green badge despite the malicious build chain
- Dormant account targeting: Packages like
jest-canvas-mock,size-sensor, andtimeago.js(dormant for 3–10 years) were used as entry points, as older accounts attract less scrutiny - Single-token namespace takeover: At least 37
@antv/*packages are confirmed malicious, consistent with a single stolen token holding publish rights across the entire namespace
Indicators of Compromise
| Type | Indicator |
|---|---|
| C2 Endpoint | t[.]m-kosche[.]com:443/api/public/otel/v1/traces |
| GitHub Marker | niagA oG eW ereH :duluH-iahS |
| Repo Pattern | <dune-word>-<dune-word>-<digits> |
| Exfil Path | results/results-*.json |
| Key Secret Targets | GITHUB_TOKEN, AWS_ACCESS_KEY_ID, VAULT_TOKEN, KUBECONFIG |
Mitigations
- Audit all recently updated
@antv/*,@lint-md,@openclaw-cn, and@starmindpackages immediately - Rotate any GitHub tokens, npm tokens, AWS credentials, and Vault tokens exposed in CI/CD environments
- Do not rely solely on Sigstore provenance badges as indicators of package integrity
- Monitor npm install logs for unexpected
preinstallscripts invokingbun - Block outbound connections to
t[.]m-kosche[.]comat the network perimeter
Socket and Endor Labs have both published detailed advisories; here is the list of affected packages. Organizations running affected packages should treat any exposed credentials as fully compromised and initiate incident response procedures immediately.
