npm Supply Chain Attack Hits @antv: Blockchain Dev Secrets Now Exposed

Mini Shai-Hulud npm campaign compromises @antv packages, targeting blockchain developers’ GitHub tokens, AWS keys, and CI/CD secrets in a coordinated supply chain attack.

The malicious publishes started just before 2 a.m. UTC on May 19. By the time most developers on the East Coast had their first coffee, the damage was already done.

Socket’s Threat Research team is tracking an active npm supply chain attack compromising packages across the antv visualization suite. The affected npm maintainer account, atool, controls a wide range of data visualization and graphing packages used heavily in blockchain developer tooling. Among the flagged packages: antv/g2, antv/g6, antv/x6, antv/l7, antv/s2, antv/f2, and related tools outside the antv namespace including timeago.js, size-sensor, and canvas-nest.js.

echarts-for-react sits at the center of the exposure. That package pulls roughly 1.1 million weekly downloads. Socket flagged a malicious version, 3.2.7, as known malware, with the compromised artifact published just 19 minutes before detection according to Socket’s own package registry data.

639 Versions. One Night. Still Counting.

The activity window was tight. Malicious publishes began around 01:56 UTC and stopped at roughly 02:56 UTC. Socket’s detection systems caught most of it within six to twelve minutes of publication. Median detection time landed at about 6.7 minutes, per the firm’s internal review posted at socket.dev.

Across the full Mini Shai-Hulud campaign, Socket has now tracked 1,055 compromised versions across 502 unique packages. The campaign spans npm, PyPI, and Composer. npm accounts for nearly all of it: 1,048 versions across 498 unique packages, with PyPI and Composer contributing only a handful.

The affected packages that night also included namespaces outside antv. Packages under lint-md, openclaw-cn, and starmind received malicious updates in the same wave. The CSV data reviewed by this reporter shows packages like antv/x6 versions 3.2.7 and 3.3.7, antv/g2 versions 5.5.8 and 5.6.8, antv/g6, antv/g2plot, antv/s2, and dozens more, all published within that same one-hour window.

Source:socket.dev.

What the Payload Actually Does

The injected code is not subtle about its goals. A root-level index.js file modifies package.json to run itself at install time via a preinstall hook: bun run index.js.

String obfuscation layers run deep. The payload uses a large lookup table, runtime string decoding, and a custom decryptor registered to globalThis as fc2edea72. Decoding it reveals the exfiltration endpoint: https://t[.]m-kosche[.]com:443/api/public/otel/v1/traces. Data collected gets compressed with gzip, encrypted using AES-256-GCM, and the AES key itself gets wrapped in RSA-OAEP with SHA-256 before transmission. Intercepting that traffic from network telemetry is not straightforward.

The payload hunts specifically for developer environment secrets. GitHub tokens, npm tokens, AWS credentials, Kubernetes service account materials, Vault tokens, SSH private keys, Docker authentication files, and database connection strings all appear in the target list. It also contains explicit logic for 19 CI/CD platforms, including GitHub Actions, GitLab CI, CircleCI, Jenkins, Azure DevOps, AWS CodeBuild, Buildkite, Vercel, and Netlify.

That list reads like a shopping cart. Not a surveillance tool.

GitHub Repositories, Dune Names, and a Worm With Ambitions

A GitHub fallback exfiltration path exists for cases where the primary HTTPS endpoint gets blocked. If the payload obtains a usable GitHub token, it creates a repository under the victim’s account and commits stolen data into a results/ directory. File names follow a results-timestamp-counter.json pattern. Socket previously documented this behavior in earlier Mini Shai-Hulud waves.

Public GitHub search results for the reversed marker phrase currently show roughly 1.8k repositories, based on screenshots reviewed from the Socket report. Repository names follow Dune-themed patterns: sayyadina-stillsuit-852, atreides-ornithopter-112, harkonnen-phibian-552. One observed repository, Zaynex/sayyadina-stillsuit-852, contains a results/ directory consistent with active exfiltration.

There’s worm logic built in too. The package validates npm tokens through registry APIs, enumerates maintainable packages, injects the preinstall hook, bumps version numbers, then republishes under the compromised maintainer’s identity. Designed to spread, not just steal.

Earlier Mini Shai-Hulud variants hit TanStack packages and Intercom-related tools. Different file names, different C2 endpoints. This wave uses a root-level index.js and a smaller payload body. The core behavior matches across variants. Socket treats this as the same campaign family.

The threat is not theoretical for crypto infrastructure. Blockchain developers building DeFi tooling or Web3 dashboards frequently use antv charting libraries for on-chain data visualization. A compromised CI/CD pipeline at a DeFi project could expose deployer credentials or protocol admin access. Socket says the investigation remains open.

The post npm Supply Chain Attack Hits @antv: Blockchain Dev Secrets Now Exposed appeared first on Live Bitcoin News.