Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Malicious npm Packages Compromise AntV Ecosystem

Malicious npm Packages Compromise AntV Ecosystem

Posted on May 19, 2026 By CWS

Cybersecurity experts have uncovered a new software supply chain attack, affecting npm packages linked to the @antv ecosystem. This incident is part of the ongoing Mini Shai-Hulud attack series.

Scope of the Attack

The compromised packages are tied to the npm maintainer account ‘atool’. Among them is ‘echarts-for-react’, a popular React wrapper for Apache ECharts with approximately 1.1 million weekly downloads. Affected packages include @antv/g2, @antv/g6, @antv/x6, and others. Additionally, packages outside the @antv namespace, such as ‘timeago.js’ and ‘canvas-nest.js’, have also been impacted.

The attack employs a similar strategy to Mini Shai-Hulud, where a maintainer account is hacked to distribute trojanized versions of software swiftly. This campaign continues to infiltrate open-source registries, embedding credential-stealing code into numerous software tools.

Impact on the Software Ecosystem

The potential impact is considerable due to the popularity of the affected packages in data visualization and React component ecosystems. Even if a fraction of these packages receive malicious updates, the widespread usage could result in significant downstream exposure, affecting organizations that automatically update dependencies.

The attacker has released 639 malicious versions across 323 unique packages, including 558 versions within 279 unique @antv packages. The payload targets over 20 types of credentials, including AWS, Google Cloud, and GitHub, among others. The malware attempts to exfiltrate data to a specific domain, using a GitHub token as a fallback to store data in a public repository under the victim’s account.

Ongoing Threat and Mitigation

The malware includes npm propagation logic, validating stolen tokens through the npm registry API, downloading package tarballs, injecting malicious payloads, and republishing them with higher version numbers. This automated process was executed in a brief 22-minute window, affecting 314 packages.

The Mini Shai-Hulud campaign is believed to be orchestrated by TeamPCP. Recently, the source code was made public for a supply chain attack contest, potentially enabling other threat actors to replicate these attacks. This open-sourcing lowers the barrier for exploiting sophisticated techniques like OIDC token abuse.

The campaign highlights the risk of trusted tools being compromised within enterprise networks, facilitating credential theft and further exploitation. Organizations using GitHub Actions, Docker Hub, and other cloud-connected services are particularly vulnerable.

As the situation evolves, cybersecurity firms emphasize the need for vigilance and enhanced security measures to protect against such widespread threats.

The Hacker News Tags:AntV, credential theft, Cybersecurity, Malware, Mini Shai-Hulud, NPM, open source security, software supply chain, TeamPCP, Threat Actors

Post navigation

Previous Post: Hackers Exploit Microsoft Entra ID to Access Sensitive Data
Next Post: Major Security Flaw in Industrial Robots Fixed by Universal Robots

Related Posts

Citrix Urges Immediate Patching of Critical NetScaler Flaws Citrix Urges Immediate Patching of Critical NetScaler Flaws The Hacker News
AI Tools Fuel Threat Actor’s Breach of 600 FortiGate Devices AI Tools Fuel Threat Actor’s Breach of 600 FortiGate Devices The Hacker News
Checkmarx Data Breach: GitHub Data Exposed on Dark Web Checkmarx Data Breach: GitHub Data Exposed on Dark Web The Hacker News
Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations The Hacker News
Over 70 Organizations Across Multiple Sectors Targeted by China-Linked Cyber Espionage Group Over 70 Organizations Across Multiple Sectors Targeted by China-Linked Cyber Espionage Group The Hacker News
China-Linked Group Targets Singapore Telecom in Cyber Attack China-Linked Group Targets Singapore Telecom in Cyber Attack The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Critical Vulnerabilities in FatFs Impact Millions of Devices
  • Hackers Exploit Blogspot and PowerShell for Data Theft
  • Critical Linux Kernel Bug Allows Unauthorized Root Access
  • Nebula’s AI-Powered Security Tool Revolutionizes Testing
  • Avalon Malware Framework Unveils CrownX Ransomware

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Critical Vulnerabilities in FatFs Impact Millions of Devices
  • Hackers Exploit Blogspot and PowerShell for Data Theft
  • Critical Linux Kernel Bug Allows Unauthorized Root Access
  • Nebula’s AI-Powered Security Tool Revolutionizes Testing
  • Avalon Malware Framework Unveils CrownX Ransomware

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark