Signal
Mini Shai-Hulud malware resurfaces, compromising hundreds of npm packages including AntV tools
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-05-19 15:28 UTCUpdated 2026-05-19 20:28 UTC
githubrss
cveexploitsmalwarethreat_actorssecurity_toolingincident_response
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (3 domains)domains are deduped. counts indicate coverage, not truth.3 top sources shown
Overview
The Mini Shai-Hulud malware campaign has returned with enhanced capabilities, infecting hundreds of npm packages by exploiting maintainer credentials.
Score total
1.5
Momentum 24h
3
Posts
3
Origins
3
Source types
2
Duplicate ratio
0%
Why now
- The recent surge in npm supply chain attacks, including the high-profile AntV compromise, shows attackers are intensifying efforts.
- New variants of Mini Shai-Hulud demonstrate increased sophistication and persistence.
- Immediate awareness and response are critical to mitigate ongoing risks in the npm ecosystem.
Why it matters
- Supply chain attacks on npm threaten millions of developers and users relying on open-source packages.
- Malware like Mini Shai-Hulud can steal sensitive credentials and persist despite removal attempts, increasing risk.
- Compromise of high-value maintainer accounts enables widespread distribution of malicious code under trusted identities.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- Mini Shai-Hulud malware compromises hundreds of npm packages by exploiting maintainer credentials and spreads autonomously with persistent backdoors.
- A recent npm supply chain attack compromised the 'atool' maintainer account, affecting over 300 packages including Alibaba's AntV tools, resulting in 637 malicious versions published in 22 minutes.
How sources frame it
- CyberScoop: neutral
- CSO Online: neutral
- GitHub Advisories: neutral
This briefing highlights the resurgence of Mini Shai-Hulud malware targeting npm packages, emphasizing the critical need for vigilance in open-source supply chain security.
All evidence
All evidence
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm
github_advisories · github.com · 2026-05-19 20:28 UTC
AntV data visualization tool the latest to be hit by ongoing npm supply chain attacks
CSO Online · csoonline.com · 2026-05-19 19:19 UTC
Mini Shai-Hulud returns, compromising hundreds of npm packages
CyberScoop · cyberscoop.com · 2026-05-19 15:28 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 3Origin domains: 3Duplicates: -
Showing 3 / 0
Top publishers (this list)
- github_advisories (1)
- CSO Online (1)
- CyberScoop (1)
Top origin domains (this list)
- github.com (1)
- csoonline.com (1)
- cyberscoop.com (1)