SafeDep says Mini Shai-Hulud payload slipped into 317 npm packages

Researchers tie a 22-minute mass publish from a compromised npm account to the same toolkit seen in the recent SAP-related incident, with CI and AI tool persistence.

By ยท

Why it matters

Semver ranges and CI automation mean a single compromised publisher can silently infect thousands of builds in minutes. This campaign shows how attackers now target the full developer surface area, from IDEs and AI coding tools to OIDC-backed signing and GitHub workflows. Teams need runtime install guards and fast IoC-driven triage to contain supply chain blast radius.

A software package being infiltrated by a malicious payload (Exploded-view technical diagram with blueprint aesthetics)

SafeDep says a compromised npm publisher account pushed 637 malicious versions across 317 packages in 22 minutes, linking the payload to the same "Mini Shai-Hulud" toolkit it documented three weeks ago in a blog post. The new incident is detailed in a fresh SafeDep report, which warns that common dependencies like size-sensor, echarts-for-react, @antv/scale, and timeago.js were among those affected.

The SafeDep team builds supply chain defenses that block malicious packages the moment a developer or an AI agent tries to install them, across laptops, IDEs, and CI/CD. The analysis reads like a blueprint of how modern package-malware campaigns jump from a single developer machine to entire fleets of pipelines and repos.

What SafeDep found

  • The npm account atool (i@hust.cc) was compromised on May 19, 2026. In a 22-minute burst, the attacker published 637 tainted versions across 317 packages.
  • Each compromised version adds a preinstall hook (bun run index.js). Most also pull a second-stage payload via optionalDependencies that points to imposter commits in the antvis/G2 repository. SafeDep details how those imposter commits are orphan objects with forged authorship, fetched by SHA through npm's github: resolution without requiring write access to the target repo.
  • The payload is a 498 KB obfuscated Bun script that SafeDep says matches Mini Shai-Hulud: same scanner architecture, credential regex set, and obfuscation pattern as in its earlier write-up.

How the payload works

According to SafeDep's report, the malware aggressively hunts secrets: AWS credentials across env vars, config files and metadata services; Kubernetes service account tokens; HashiCorp Vault tokens; GitHub PATs; npm tokens; SSH keys; and more. Stolen data is exfiltrated by creating public GitHub repos under the compromised token and committing the loot as Git objects, with a forged python-requests/2.31.0 User-Agent.

In CI, the code uses GitHub Actions OIDC tokens to mint npm publish tokens, signs artifacts via Sigstore using the stolen identity, and injects persistence into .github/workflows/codeql.yml. It also plants hooks that re-trigger the malware in popular developer environments: Claude Code and Codex via SessionStart, and VS Code via a tasks.json set to run on folder open. On hosts, SafeDep says it drops persistent services (kitty-monitor and gh-token-monitor) that implement a GitHub-based dead-drop command channel, polling commit search for RSA-signed commands and checking stolen GitHub tokens every 60 seconds.

Who is exposed

SafeDep highlights a wide blast radius because many projects pin semver ranges that would automatically resolve to the compromised versions. Notable packages include:

  • size-sensor (approx. 4.2M downloads/month)
  • echarts-for-react (3.8M)
  • @antv/scale (2.2M)
  • timeago.js (1.15M)
  • Hundreds of @antv scoped packages

What to check now

SafeDep lists concrete indicators of compromise developers and platform teams can hunt for:

  • Any package published by atool on 2026-05-19 between 01:44 and 02:06 UTC
  • preinstall script running bun run index.js
  • Optional dependency like @antv/setup: github:antvis/G2#<commit-sha>
  • Imposter commit SHAs noted in the report, and exfil repos with Dune-themed names and the description string SafeDep calls out
  • Unusual requests to 169.254.169.254 (EC2 metadata) or 169.254.170.2 (ECS container metadata)
  • Persistence artifacts named kitty-monitor or gh-token-monitor

The team also emphasizes that the imposter-commit technique gives the attacker redundancy: even if preinstall hooks are blocked, the github: optional dependency can still pull and execute the payload by SHA.

SafeDep's write-up underscores how quickly a compromised publisher can ripple through open source ecosystems and how attackers are adapting to modern developer workflows, from AI coding tools to OIDC-signed CI. Their guidance: audit dependencies resolved during the affected window, search for the listed IoCs, and rotate any potentially exposed credentials immediately.

Reader comments

Conversation for this story loads after sign-in.