Shai-Hulud And npm In The Same Sentence?

What: TeamPCP (threat actor) published over 600 malicious npm package versions across 323 packages in a 22-minute automated burst.

When: Started at approximately 01:39 UTC and continued until 02:06 UTC on May 19, in the year of our lord, 2026.

Primary Targets: Core data visualization suite widely used in enterprise dashboards, financial tools, graph analysis platforms.

Aftermath: Chaos.

Seriously though, these days running npm audit, there's usually a high vulnerability to be fixed. AI has made this so easy hackers are basically on cruise mode.

What Happened?

The attack used a compromised npm maintainer account (atool), which had publish access to 547 npm packages total, giving them control of the entire portfolio. At least 37 @antv/* packages were confirmed malicious, with a single stolen token enabling publish access across the board.

Researchers tracking Mini Shai-Hulud attacks (from September 2025 to May 2026) confirmed 1,055 compromised versions across 502 packages, npm (1,048 versions), PyPI (6 versions), and Composer (1 version).

What Was Hit?

The affected packages collectively have approximately 16 million weekly downloads. Big numbers. Huge. @antv/g2 (1.8M weekly downloads), @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, @antv/data-set. Dormant packages like timeago.js, size-sensor, jest-canvas-mock (all dormant 3+ years) were used as entry points because less scrutiny.

Here's How The Worm Worked

Each malicious package got a root-level index.js file and a modification to package.json adding a preinstall or prepare script that executes automatically when you run npm install. What it stole? Credentials. Whatever kind.

It aggressively targeted dev and CI/CD environments, so basically GitHub tokens, npm tokens, env vars, AWS credentials, HashiCorp Vault tokens, SSH private keys, Docker auth files, and database connection strings were all worm food. On getting a GitHub token, the payload creates public repositories under the account with Dune-themed names (e.g., atreides-lasgun-393). These repos contain the encrypted stolen data in paths like results/results-*. Using stolen npm tokens, the worm republishes infected versions of other packages the account maintains, so it spreads across the software supply chain and remains even after running npm uninstall.

If any attempt to revoke a stolen GitHub token gets detected by the gh-token-monitor daemon, it triggers rm -rf ~/. So, trying to clean up could wipe your entire machine.

What To Do Now

If you weren't hit, be kind, send virtual hugs to the devs. If you were, start here.

• Check your dependencies. Look at any @antv/*, @lint-md, @openclaw-cn, or @starmind packages you updated recently. If anything's sus, assume the worst.
• Rotate everything. GitHub tokens, npm tokens, AWS keys, or Vault credentials that touched an infected environment have to be regenerated.
• Just because a package has a fancy SLSA Level 3 badge doesn't mean it's clean. That badge only tells you where the package came from, not if the build was compromised.
• Watch your install logs. If npm install shows weird preinstall scripts, stop and check everything.
• Look for .vscode/tasks.json with "runOn":"folderOpen" and .claude/settings.json with a SessionStart hook. If you find them, mini Shai Hulud was there.
• Don't just revoke tokens on a live machine. If you try to kill a compromised GitHub token while the infected machine is still running, you could lose your entire home directory. Isolate the machine first, or get ready to restore from backup.
• Lock down exact package versions in your package.json. This won't stop everything, but it makes supply chain attacks harder to pull off.

Good luck, sending virtual hugs to all involved.