npm Supply Chain Attack Hits @antv: Blockchain Dev Secrets Now Exposed

Mini Shai-Hulud npm campaign compromises @antv packages, targeting blockchain developers’ GitHub tokens, AWS keys, and CI/CD secrets in a coordinated supply chain attack.

The malicious publications started just before 2 hours UTC on May 19. By the time most developers on the East Coast had their first coffee, the damage was already done.

Socket’s threat research team is tracking an active npm attack that compromises packages over the antv visualization package. The affected npm maintainer account, atool, controls a wide range of data visualization and graphing packages widely used in blockchain developer tools. Among the marked packages: antv/g2, antv/g6, antv/x6, antv/l7, antv/s2, antv/f2, and related tools outside the antv namespace, including timeago.js, size-sensor, and canvas-nest.js.

echarts-for-react sits in the middle of the exposure. That package draws about 1.1 million weekly downloads. Socket marked a malicious version, 3.2.7, as known malware, with the compromised artifact published just 19 minutes before detection according to Socket’s own package registry data.

639 versions. One night. Still counting.

The activity window was tight. Malicious publications started around 01:56 UTC and stopped around 02:56 UTC. Socket’s tracking systems caught most of them within six to twelve minutes of publication. Median detection time landed at around 6.7 minutes, according to the firm’s internal review posted at socket.dev.

Over the full Mini Shai-Hulud campaign, Socket has now detected 1,055 compromised versions across 502 unique packages. The campaign spans npm, PyPI and Composer. npm accounts for almost everything: 1,048 versions across 498 unique packages, with PyPI and Composer contributing only a handful.

The packages in question that night also included namespaces outside of antv. Packages under lint-md, openclaw-cn and starmind received malicious updates in the same wave. The CSV data reviewed by this reporter shows packages such as antv/x6 versions 3.2.7 and 3.3.7, antv/g2 versions 5.5.8 and 5.6.8, antv/g6, antv/g2plot, antv/s2, and dozens more, all published within the same one-hour window.

Source: socket.dev.

What the payload actually does

The injected code is not subtle about its goals. A root-level index.js file modifies package.json to run itself during installation via a pre-installation hook: bun run index.js.

String blackout layers run deep. The payload uses a large lookup table, runtime string decoding, and a custom decryptor registered with globalThis as fc2edea72. Decoding it reveals the exfiltration endpoint: https://t[.]m-kosche[.]com:443/api/public/otel/v1/traces. Collected data is compressed with gzip, encrypted with AES-256-GCM, and the AES key itself is wrapped in RSA-OAEP with SHA-256 before transmission. Intercepting that traffic from network telemetry is not easy.

The payload specifically searches for developer environment secrets. GitHub tokens, npm tokens, AWS credentials, Kubernetes service account stuff, Vault tokens, SSH private keys, Docker authentication files, and database connection strings all appear in the target list. It also contains explicit logic for 19 CI/CD platforms, including GitHub Actions, GitLab CI, CircleCI, Jenkins, Azure DevOps, AWS CodeBuild, Buildkite, Vercel, and Netlify.

That list reads like a shopping cart. Not a surveillance tool.

GitHub repositories, dune names, and a worm with ambitions

A GitHub fallback exfiltration path exists for cases where the primary HTTPS endpoint is blocked. If the payload gets a usable GitHub token, it creates a repository under the victim’s account and places stolen data in a results/directory. File names follow a results-timestamp-counter.json pattern. Socket has previously documented this behavior in earlier Mini Shai-Hulud waves.

Public GitHub search results for the reverse tag phrase currently show about 1.8k repositories, based on screenshots reviewed from the Socket report. Repository names follow Dunes theme patterns: sayyadina-stillsuit-852, atreides-ornithopter-112, harkonnen-phibian-552. One observed repository, Zaynex/sayyadina-stillsuit-852, contains a results/directory consistent with active exfiltration.

There is also worm logic built in. The package validates npm tokens via registry APIs, enumerates maintainable packages, injects the preinstallation hook, bumps version numbers, and then republishes under the compromised maintainer’s identity. Designed to distribute, not just steal.

Earlier Mini Shai-Hulud variants hit TanStack packages and intercom related tools. Different filenames, different C2 endpoints. This wave uses a root-level index.js and a smaller payload body. The core behavior matches across variants. Socket treats it as the same campaign family.

The threat is not theoretical to crypto-infrastructure. Blockchain developers building DeFi tools or Web3 dashboards frequently use antv map libraries for on-chain data visualization. A compromised CI/CD pipeline at a DeFi project can expose developer credentials or protocol administrator access. Socket says the investigation remains open.

The post npm Supply Chain Attack Hits @antv: Blockchain Dev Secrets Now Exposed appeared first on Live Bitcoin News.