Massive npm Supply Chain Attack Compromises AntV Ecosystem, Steals CI/CD Secrets at Scale

A critical supply chain attack compromised the npm account “atool” and poisoned over 600 versions of 323 widely-used packages across the @antv data visualization ecosystem, timeago.js, echarts-for-react, and dozens of other libraries collectively downloaded approximately 16 million times per week. The attack, attributed to the threat group TeamPCP and branded as Wave 5 of the “Mini Shai-Hulud” campaign, targets CI/CD environments to steal credentials and propagate further through the software supply chain.

Attack Overview

The attack unfolded in two rapid waves on May 19, 2026, between 01:39 and 02:06 UTC, with the attacker publishing 637 malicious package versions in a single 22-minute burst. Each compromised package contains a 498KB obfuscated JavaScript payload delivered through npm lifecycle hooks (preinstall scripts) that executes via the Bun runtime. The malware reads GitHub Actions runner process memory directly through /proc/[pid]/mem to extract CI/CD secrets in plaintext, bypassing the runner’s log masking protections. Beyond memory scraping, the payload harvests credentials from over 130 file paths covering AWS access keys and session tokens, GCP service accounts, Azure service principals, GitHub Personal Access Tokens and OIDC tokens, npm publish tokens, Kubernetes service account tokens, HashiCorp Vault credentials, SSH keys, database connection strings, and even cryptocurrency wallet files.

Technical Capabilities

Stolen data is encrypted using AES-256-GCM with RSA-OAEP key wrapping and exfiltrated through a dual-channel approach. The primary channel commits encrypted data to branches within the legitimate, heavily-trafficked antvis/G2 GitHub repository using the GitHub REST API as a dead-drop. When the GitHub API path is unavailable, the malware falls back to a direct HTTPS connection to t.m-kosche.com on port 443, disguised as OpenTelemetry trace data sent to the path /api/public/otel/v1/traces. Within hours of the attack, over 2,500 public GitHub repositories were created using exfiltrated tokens as additional dead-drops, confirming active credential exploitation at scale.

The malware also establishes multiple persistence mechanisms on developer machines. It implants backdoor hooks in AI coding assistants (Claude Code settings with SessionStart hooks), IDE configurations (VS Code tasks.json with folderOpen triggers), and operating system-level daemons (systemd services on Linux, LaunchAgents on macOS). A dedicated daemon polls GitHub for attacker-issued commands signed with RSA-PSS 4096-bit keys, enabling ongoing remote control. Additionally, the worm searches for npm tokens with bypass_2fa scope and exchanges GitHub Actions OIDC tokens for per-package npm publish tokens, enabling self-propagation to additional packages.

Affected Packages and Exposure

The following packages are among those affected, spanning charting, graph visualization, mapping, and general-purpose JavaScript utility libraries:

• @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2 (data visualization)
• @antv/g, @antv/g2plot, @antv/graphin, @antv/data-set, @antv/scale (core @antv libraries)
• timeago.js (1.5 million weekly downloads, relative time formatting)
• echarts-for-react (3.8 million weekly downloads, React charting wrapper)
• size-sensor (4.2 million weekly downloads, element size detection)
• canvas-nest.js, jest-canvas-mock, jest-date-mock, lint-md, and more

These packages are widely used across web applications, dashboards, data analytics platforms, and developer toolchains. Organizations using any of these packages in their build or deployment pipelines, especially those leveraging GitHub Actions for CI/CD, are at heightened risk. The attack does not require authentication to trigger, as malicious code executes automatically during npm install via preinstall hooks.

Recommended Remediation

Remediation should follow a strict order to prevent the persistence daemons from retaliating during credential rotation:

1. Remove persistence artifacts first: Stop and disable systemd services and LaunchAgents, delete daemon files (~/.local/share/kitty/cat.py, ~/.local/bin/gh-token-monitor.sh), and remove editor hooks (.claude/setup.mjs, .vscode/setup.mjs).
2. Clean the npm installation: Delete node_modules entirely and reinstall from known-clean package versions predating May 19, 2026. Use npm install –ignore-scripts during reinstallation.
3. Rotate all credentials: Revoke and regenerate npm publish tokens, GitHub PATs and Actions secrets, AWS access keys, GCP service accounts, Azure service principals, Kubernetes tokens, SSH keys, database credentials, and any other secrets that may have been exposed.
4. Audit GitHub repositories: Check for injected branches (especially codeql-static-analysis), unauthorized workflows, and suspicious commits with the pattern “chore: update dependencies.”
5. Review npm access logs: Identify any unauthorized package publications or token usage.

Incident Status

At the time of writing, no CVE identifiers have been assigned to this supply chain attack. The malicious package versions have been identified by multiple security vendors including Snyk, Socket, and StepSecurity. The npm registry has been notified. Regardless, the severity and breadth of the compromise, combined with confirmed active exploitation of stolen credentials, make this a critical-severity incident requiring immediate response from any organization using affected packages.

Potential Impact

Successful exploitation results in full credential theft across cloud environments (AWS, GCP, Azure), CI/CD pipelines, package registries, and developer workstations. Attackers gain the ability to access cloud infrastructure, publish malicious packages under legitimate namespaces, exfiltrate source code and secrets, and maintain persistent backdoor access to development environments. The self-propagating nature of the worm means that a single compromised developer machine or CI runner can cascade into a broader organizational compromise.

How can Orca help?

Orca enables customers to quickly identify assets with vulnerable npm packages installed, understand their exposure in context, including internet accessibility, runtime reachability, and asset criticality, and prioritize remediation based on real risk. Orca’s platform can detect installed npm packages matching the compromised @antv ecosystem libraries and flag assets running affected versions. Security teams can use Orca to identify which development environments, build servers, and production deployments reference these packages, then focus remediation efforts on the most critical and exposed assets first.