Back to Intelligence

Supply Chain Attacks: Detecting `node-ipc`, `@antv`, and Malicious GitHub Actions

SA
Security Arsenal Team
May 24, 2026
6 min read

The latest Security Affairs Malware Newsletter (Round 98) highlights a disturbing convergence of supply chain compromises targeting the modern software development lifecycle. We are seeing active exploitation of the node-ipc npm package (specifically variants deploying the Shai-Hulud credential stealer), the @antv data visualization library packages, and the actions-cool/issues-helper GitHub Action.

These are not theoretical risks. They represent a "poisoned pipeline" where build environments are weaponized to steal developer credentials, inject cryptocurrency miners, or pivot laterally into cloud infrastructure. For defenders, this means shifting focus from traditional runtime security to Software Supply Chain Security. If your developers are pulling dependencies or running Actions, you are currently exposed.

Technical Analysis

The threat landscape described in the newsletter consists of three distinct but related vectors:

1. node-ipc & Shai-Hulud Clones

  • Affected Component: node-ipc npm package (various malicious versions identified in the wild).
  • Attack Vector: Dependency Confusion / Compromised Publisher. Attackers publish versions of node-ipc containing a postinstall script.
  • Mechanism: Upon running npm install, the malicious script executes. It attempts to exfiltrate system information (environment variables, ~/.npmrc) and deploy the "Shai-Hulud" malware (a cross-platform credential stealer and miner).
  • Exploitation Status: Confirmed active exploitation in the wild. Shai-Hulud variants are actively being cloned by new actors (TeamPCP copycats).

2. @antv Packages Compromise

  • Affected Component: @antv/g6, @antv/g6plot, and related visualization libraries.
  • Attack Vector: Supply Chain Compromise.
  • Mechanism: Similar to node-ipc, malicious code is injected into the package, triggering unauthorized network connections or script execution during the build phase.

3. actions-cool/issues-helper GitHub Action

  • Affected Component: actions-cool/issues-helper.
  • Attack Vector: Repo Hijack / Tag Manipulation.
  • Mechanism: All tags for this Action were updated to point to a malicious commit. CI/CD pipelines referencing this Action (even pinned to tags) would pull the malicious code, potentially exposing repository secrets (GITHUB_TOKEN) or modifying the repository state.

The Attack Chain

  1. Initial Access: Developer or CI system runs npm install or triggers a GitHub Workflow.
  2. Execution: Malicious postinstall script or Action executes.
  3. Impact:
    • Credential Theft (.aws/credentials, .npmrc, GitHub Tokens).
    • Persistence (Cron jobs, Windows Scheduled Tasks).
    • Resource Hijacking (Crypto-mining).

Detection & Response

Sigma Rules

YAML
---
title: Suspicious Node.js Child Process Execution - Potential Supply Chain
id: 8a4f1c23-9b5e-4d12-a8c5-1d2e3f4b5c6a
status: experimental
description: Detects Node.js spawning shell processes, a common behavior in malicious npm packages like node-ipc Shai-Hulud variants.
references:
 - https://securityaffairs.com/192598/malware/security-affairs-malware-newsletter-round-98.html
author: Security Arsenal
date: 2025/03/01
tags:
 - attack.execution
 - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\node.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate build scripts (verify script path)
level: high
---
title: GitHub Actions Runner Suspicious Command Execution
id: 9b5g2d34-0c6f-5e23-b9d6-2e3f4a5c6d7b
status: experimental
description: Detects the GitHub Actions Runner worker executing unexpected shell commands or encoded payloads, indicating a compromised Action like issues-helper.
references:
 - https://securityaffairs.com/192598/malware/security-affairs-malware-newsletter-round-98.html
author: Security Arsenal
date: 2025/03/01
tags:
 - attack.execution
 - attack.t1059.001
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith:
      - 'Runner.Worker'
      - 'bin/Runner.Worker'
    Image|endswith:
      - '/bin/bash'
      - '/bin/sh'
      - '/bin/python'
    CommandLine|contains:
      - 'curl'
      - 'wget'
      - 'base64'
  condition: selection
falsepositives:
  - Legitimate CI/CD build steps using curl/wget
level: high
---
title: Node.js Process Network Connection to Non-Standard Port
id: 1c6h3e45-1d7g-6f34-c0e7-3f4a5b6d7e8c
status: experimental
description: Detects node.exe establishing network connections on high ports or non-HTTPS ports, typical of C2 beacons or crypto-miners.
references:
 - https://securityaffairs.com/192598/malware/security-affairs-malware-newsletter-round-98.html
author: Security Arsenal
date: 2025/03/01
tags:
 - attack.command_and_control
 - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith:
      - '\node.exe'
    DestinationPort|notin:
      - 80
      - 443
      - 8080
  condition: selection
falsepositives:
  - Local development servers (e.g., React/Vite dev servers)
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious npm install activity followed by network connections
let SuspiciousParents = dynamic(['node.exe', 'npm.cmd', 'yarn.cmd', 'pnpm.cmd']);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in (SuspiciousParents)
| where FileName in ('cmd.exe', 'powershell.exe', 'pwsh.exe', 'curl.exe', 'wget.exe')
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FileName, FolderPath
| extend CommandLineHash = hash_sha256(ProcessCommandLine)
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName in ('node.exe')
    | project DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessCommandLine
) on DeviceName
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, RemoteIP, RemotePort

Velociraptor VQL

VQL — Velociraptor
-- Hunt for malicious package entries in package-lock. files
SELECT FullPath, Mtime, Size
FROM glob(globs='**/package-lock.')
WHERE 
   -- Read file content and check for known malicious package signatures
   read_file(filename=FullPath) =~ 'node-ipc'
   OR read_file(filename=FullPath) =~ 'actions-cool/issues-helper'
   OR read_file(filename=FullPath) =~ '@antv/g6'

-- Hunt for suspicious .npmrc files being accessed or modified recently
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs='*/.npmrc')
WHERE Mtime > now() - 7d

Remediation Script (Bash)

This script audits common package managers for the presence of the mentioned malicious packages.

Bash / Shell
#!/bin/bash

# Audit npm, yarn, and pnpm for malicious packages mentioned in Round 98
# Usage: ./audit_supply_chain.sh

echo "[+] Starting Supply Chain Audit..."

# Check for node-ipc versions (verify specific versions against advisory)
echo "[+] Checking for node-ipc..."
if npm list node-ipc 2>/dev/null | grep -q "node-ipc"; then
    echo "[!] WARNING: node-ipc found. Please verify version immediately against Security Affairs advisory."
    npm ls node-ipc
fi

# Check for @antv packages
echo "[+] Checking for @antv packages..."
if npm list @antv/g6 @antv/g6plot 2>/dev/null | grep -q "@antv"; then
    echo "[!] WARNING: @antv package found. Verify integrity."
    npm ls @antv/g6 @antv/g6plot
fi

echo "[+] Checking GitHub workflows for actions-cool/issues-helper..."
# Scan .github/workflows for the malicious action
if grep -r "actions-cool/issues-helper" .github/workflows/ 2>/dev/null; then
    echo "[!] CRITICAL: actions-cool/issues-helper found in workflows. Replace with trusted alternative immediately."
    grep -rn "actions-cool/issues-helper" .github/workflows/
fi

echo "[+] Audit complete."

Remediation

Immediate action is required to sanitize your environment and prevent data exfiltration.

  1. Package Auditing & Reversion:

    • Check package-lock., yarn.lock, and pnpm-lock.yaml for node-ipc versions >= 11.0.0 (or other suspicious versions) and @antv packages published within the compromise window.
    • Force clean install: Delete node_modules and lock files, then reinstall using verified versions.
    • Command: rm -rf node_modules package-lock. && npm install

  2. GitHub Actions Sanitization:

    • Search all repositories for references to actions-cool/issues-helper.
    • Update workflows to pin to a specific commit SHA of a verified maintainer or remove the action entirely.
    • Rotate all secrets: If this action was running in your repo, assume the GITHUB_TOKEN (and any secrets passed to it) is compromised. Rotate AWS keys, API tokens, and database credentials immediately.

  3. Developer Credential Reset:

    • If Shai-Hulud (or its clones) executed, it likely exfiltrated ~/.npmrc tokens and AWS/Cloud credentials.
    • Force a password reset and token rotation for all developers who interacted with the affected repositories during the compromise window.

  4. Vendor Advisories:

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachsupply-chainnpmgithub-actions

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action