A massive, self-propagating software supply chain attack is aggressively sweeping through the JavaScript open-source ecosystem. Dubbed “Mini Shai-Hulud” by security researchers, this campaign has successfully poisoned more than 320 unique npm packages, targeting continuous integration and continuous delivery (CI/CD) pipelines to steal enterprise credentials at an unprecedented scale.
By compromising a core npm maintainer account (atool), threat actors managed to inject malicious payloads into widely used data visualization libraries under the popular @antv namespace, as well as heavily utilized downstream packages like echarts-for-react.
The combined weekly download volume of the infected packages sits at a staggering 16 million, making this one of the most explosive supply chain incidents of the year.
Technical Anatomy of the Worm: How It Works
This isn’t a passive infostealer—it’s an automated, self-propagating software worm built to exploit the highly automated nature of modern development workflows.
1. Execution via Lifecycle Hooks
When a developer or a CI/CD runner executes a standard npm install, a malicious preinstall or prepare hook inside the package triggers a heavily obfuscated ~499 KB JavaScript payload. The execution chain spins up a shell script and utilizes the bun runtime (installing it locally if it isn’t already present) to run the malware silently in the background.
2. High-Fidelity Secret Harvesting
The malware specifically targets production environments, build systems, and developer workstations. It systematically scans over 130 unique file paths to hunt down:
- Cloud provider keys (AWS, Azure, GCP)
- HashiCorp Vault tokens and Kubernetes service accounts
- 1Password databases, cryptocurrency wallets, and SSH keys
- AI Tooling Backdoors: In a new twist, this wave specifically targets configurations for AI coding assistants like Claude Code (
~/.claude/settings.json), planting a persistent hook that re-executes the stealer every single time an AI session starts.
3. Evading Masked Secrets in GitHub Actions
In modern CI environments like GitHub Actions, secrets are typically “masked” (replaced with asterisks) in logs. Mini Shai-Hulud bypasses this defense entirely. The payload reads the live process memory of the GitHub Actions runner, pulling raw, plain-text credentials directly out of memory execution strings before they can ever be filtered or logged.
4. Self-Propagation and Forging SLSA Provenance
Once the worm captures a developer’s or pipeline’s npm write tokens, it automatically validates them against the npm registry API. It then looks for any packages that the victim has publishing rights over, injects the malicious payload, bumps the version number, and republishes a new infected version under the victim’s identity.
Worse yet, the malware abuses Sigstore OIDC tokens inside the hijacked CI pipelines to automatically forge Supply-chain Levels for Software Artifacts (SLSA) provenance. To automated security scanners, the newly poisoned packages look perfectly legitimate and display a green “trusted” verification badge.
5. Automated Data Exfiltration (“Dead-Drops”)
Stolen credentials are encrypted via RSA and shipped out through a dual-channel setup. The primary channel dumps the data onto public GitHub “dead-drop” repositories created automatically using stolen GitHub tokens. Over 2,200 of these dummy repositories have already been identified, easily spotted by their Dune-inspired names and the reversed description string: "niagA oG eW ereH :duluH-iahS" (Shai-Hulud: Here We Go Again).
Damage Control: The Cleanup & Recovery Protocol
While registry maintainers have already stepped in to wipe 640 malicious package variants and invalidate over 61,000 compromised npm granular access tokens, any system or pipeline that touched an affected package between May 19 and May 20, 2026, must be treated as completely compromised.
If your environments are affected, you must execute recovery steps in this exact order:
Step 1: Terminate Persistence Before Revoking Tokens
The malware installs background daemons (gh-token-monitor.sh) that poll tokens every 60 seconds. If you revoke a token while the daemon is active, it may trigger a defensive, destructive “wipe” sequence. Stop the processes first:
- Linux:
systemctl --user stop kitty-monitor && systemctl --user disable kitty-monitor - macOS: Kill the respective LaunchAgent plist residing in
~/Library/LaunchAgents/
Step 2: Clean and Harden the Node Environment
Wipe the compromised directory, clear local npm caches, downgrade your dependencies to verified pre-attack versions, and enforce strict install flags:
rm -rf node_modules package-lock.json
npm install –ignore-scripts
Pro Tip: Running npm install --ignore-scripts blocks all lifecycle scripts (preinstall, postinstall) from running automatically. This should be set as a global default in all production CI/CD pipelines.
Step 3: Total Secret Rotation
Assume everything accessible from the compromised runner or workstation has been leaked. You must immediately rotate:
All cloud provider IAM keys and secrets (AWS, GCP, Azure).
GitHub Personal Access Tokens (PATs) and repository secrets.
npm registry publish tokens.
Production database connection strings and HashiCorp Vault access configurations.
Over to You
Supply chain worms are becoming increasingly sophisticated—especially with the inclusion of AI tool targeting and forged SLSA certificates. Does your CI/CD pipeline currently block pre-install scripts via --ignore-scripts? Let’s talk about hardening strategies in the comments below!
