Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages

May 19, 2026

The "Mini Shai-Hulud" threat actor group has unleashed a widespread, self-propagating npm worm that has successfully compromised hundreds of popular @antv packages, which are widely utilized for data visualization. The malicious payload targets Alibaba's @antv packages, along with popular libraries like echarts-for-react and timeago.js. Once installed, the worm scans the local system to steal CI/CD secrets, configuration files, and authentication keys. Crucially, the worm targets development environments utilizing VS Code and Claude Code, planting persistent backdoors directly into the IDE configurations. After compromising these tools, the worm automatically republishes infected versions of the developer's own packages to the public registry using their cached credentials, rapidly multiplying the infection across the open-source supply chain.Organizations must instantly quarantine all usage of affected @antv, echarts-for-react, and timeago.js modules, purging local package-lock structures and build caches. Developers must carefully inspect their local VS Code settings and Claude Code profiles for unauthorized modifications or persistent scripts. All npm publishing tokens and developer credentials must be revoked immediately, and code signing protocols should be enforced to prevent automated, unauthorized package releases.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.

Table of Contents
Resource Type
Threat Intel
Category
DevSecOps
Written by
Cyberlinx Research Team
Offensive Security Research Team
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?