Mini Shai Hulud: @antv npm Supply Chain Attack & CI/CD Credential Theft

The software supply chain has suffered a significant blow with the discovery of a malicious campaign targeting the @antv npm ecosystem. Dubbed "Mini Shai Hulud," this attack involves the compromise of popular npm packages to inject malicious code designed specifically for credential theft within Linux-based automation environments.

For defenders, this is not just another package dependency issue. The malware executes automatically during the npm install phase—often within CI/CD pipelines or build containers—scanning for and exfiltrating secrets from GitHub, AWS, Kubernetes, HashiCorp Vault, npm, and 1Password. If your organization utilizes JavaScript or TypeScript tooling in a DevOps pipeline, immediate forensic validation of your build environments and credential rotation is required.

Technical Analysis

Threat Vector: Supply Chain Compromise via Typosquatting or Credential Compromise of the @antv maintainer account.

Affected Products:

Platform: Node.js runtimes on Linux (primary target for CI/CD automation).
Packages: Various packages within the @antv scope (specific versions confirmed compromised in the wild).

Attack Chain:

Initial Compromise: A developer or build system executes npm install pulling a compromised @antv package version.
Execution: The package's preinstall or install script triggers immediately upon download.
Payload (Mini Shai-Hulud): The malicious script runs a series of commands to enumerate the file system and environment variables.
Credential Theft: The malware targets specific directories and configuration files used by DevOps tools:
- AWS: ~/.aws/credentials and ~/.aws/config
- GitHub: ~/.git-credentials, ~/.config/gh/hosts.yml
- Kubernetes: ~/.kube/config
- Vault: ~/.vault-token
- npm: ~/.npmrc
- 1Password: ~/.config/op/config
Exfiltration: Collected secrets are transmitted to an attacker-controlled C2 server.

Exploitation Status: Confirmed active exploitation. The malware is specifically obfuscated to blend in with standard build noise, making visual inspection of package. insufficient without deep analysis.

Detection & Response

SIGMA Rules

YAML

---
title: Potential NPM Supply Chain Credential Access
id: a8b9c0d1-2345-6789-abcd-ef1234567890
status: experimental
description: Detects npm or node processes accessing sensitive credential files on Linux, indicative of the Mini Shai-Hulud behavior or similar supply chain attacks.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/
author: Security Arsenal
date: 2026/05/20
tags:
  - attack.credential_access
  - attack.t1552.001
  - attack.t1059.004
logsource:
  product: linux
  category: process_creation
detection:
  selection_parent:
    ParentImage|endswith:
      - '/npm'
      - '/node'
  selection_target:
    CommandLine|contains:
      - '/.aws/credentials'
      - '/.aws/config'
      - '/.git-credentials'
      - '/.kube/config'
      - '/.vault-token'
      - '/.npmrc'
  condition: selection_parent and selection_target
falsepositives:
  - Legitimate DevOps tooling that requires reading its own configuration during a build (rare during npm install).
level: high
---
title: Suspicious Shell Spawn via NPM Install
id: b1c2d3e4-3456-7890-bcde-f12345678901
status: experimental
description: Detects npm install processes spawning shell commands (bash/sh), a common technique in malicious package scripts like Mini Shai-Hulud.
references:
  - https://attack.mitre.org/techniques/T1059/004/
author: Security Arsenal
date: 2026/05/20
tags:
  - attack.execution
  - attack.t1059.004
  - attack.t1195.002
logsource:
  product: linux
  category: process_creation
detection:
  selection_parent:
    ParentImage|endswith:
      - '/npm'
    ParentCommandLine|contains: 'install'
  selection_child:
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/curl'
      - '/wget'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate build scripts using install hooks (verify script content if possible).
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for npm processes accessing credential files or spawning shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("npm", "node") 
| where InitiatingProcessCommandLine contains "install"
| where FileName in ("sh", "bash", "cat", "curl", "wget") 
   or ProcessCommandLine has ".aws/" 
   or ProcessCommandLine has ".kube/" 
   or ProcessCommandLine has ".git-credentials"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for obfuscated install scripts in node_modules/@antv
SELECT FullPath, Mtime, Size
FROM glob(globs='node_modules/@antv/*/package.')
WHERE read_file(filename=FullPath, length=10000) =~ /install.*\$\(.*\)|install.*base64/i
   OR read_file(filename=FullPath, length=10000) =~ /curl.*http|wget.*http/

-- Scan for processes spawned by npm accessing sensitive directories
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Exe =~ 'npm' AND CommandLine =~ 'install'
  AND EXISTS(
      SELECT * FROM chain(pid=Pid) 
      WHERE Name =~ 'bash' OR Name =~ 'sh' OR Name =~ 'curl'
  )

Remediation Script (Bash)

Bash / Shell

#!/bin/bash
# Security Arsenal - Mini Shai Hulud Remediation Script
# This script assists in identifying vulnerable packages and forcing a clean update.

echo "[*] Scanning for @antv packages..."

# Find package. files and check for @antv dependencies
find . -name "package." -type f -exec grep -l "@antv" {} \; | while read -r file; do
  echo "[!] Potential @antv dependency found in: $file"
  dirname "$file"
done

echo "[*] Checking for compromised versions (Refer to Microsoft Blog for specific hashes)"

# If specific hashes are unavailable, force a clean install of the scope
# WARNING: This assumes the registry has been cleaned.
read -p "Do you want to force update @antv packages? (y/n) " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
  echo "[*] Removing node_modules and lock files for clean reinstall..."
  rm -rf node_modules package-lock. yarn.lock
  echo "[*] Reinstalling dependencies..."
  npm install
  echo "[*] Verifying integrity..."
  npm audit
fi

echo "[CRITICAL] MANUAL STEP REQUIRED: Rotate all credentials found in CI/CD environment variables and secrets managers (AWS, GitHub, K8s, Vault)."

Remediation

Identify Exposure: Review your package-lock., yarn.lock, or pnpm-lock.yaml files for any @antv dependencies. Cross-reference the installed versions with the list of compromised packages provided in the Microsoft Security Blog.
Update and Clean:
- If compromised versions are found, update to the latest patched version immediately.
- Delete the node_modules directory and re-run npm install (or your package manager's equivalent) to ensure no cached malicious scripts remain.
Credential Rotation (CRITICAL): Assume compromise. If npm install ran in an environment with credentials:
- Rotate AWS Access Keys and Secret Keys.
- Rotate GitHub Personal Access Tokens (PATs) and OAuth App tokens.
- Rotate Kubernetes Service Account tokens and kubeconfig files.
- Rotate Vault tokens and 1Password credentials.
Audit CI/CD Logs: Inspect build logs for the timeframe the compromised package was active. Look for unauthorized outbound network connections or data exfiltration.
Container Hygiene: If this package was baked into a Docker image, rebuild the image from scratch using updated dependencies. Do not attempt to patch running containers.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub