Signal

Mini Shai-Hulud malware resurfaces in npm supply chain attack on AntV packages

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-05-18 17:28 UTCUpdated 2026-05-19 15:28 UTC

rss

cveexploitsmalwarethreat_actorssecurity_toolingincident_response

Trend in the last 24h

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (4)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (4 domains)

4 top sources shown

Mini Shai-Hulud returns, compromising hundreds of npm packages

CyberScoop · News · cyberscoop.com · 2026-05-19 15:28 UTC

Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

thehackernews · News · thehackernews.com · 2026-05-19 04:54 UTC

Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account

Snyk Blog · News · snyk.io · 2026-05-18 23:00 UTC

Leaked Shai-Hulud malware fuels new npm infostealer campaign

BleepingComputer · News · bleepingcomputer.com · 2026-05-18 17:28 UTC

View all evidence

Overview

The Mini Shai-Hulud malware campaign has reemerged, compromising over 300 npm packages in the AntV data visualization ecosystem through a compromised maintainer account.

Entities

AntVMini Shai-Hulud

Score total

1.57

Momentum 24h

4

Posts

4

Origins

4

Source types

1

Duplicate ratio

0%

Why now

The campaign is active with recent bursts of malicious package versions published.
New variants show increased capabilities to evade detection and removal.
The attack exploits popular npm packages in the AntV ecosystem, which have millions of weekly downloads.

Why it matters

The attack compromises widely used npm packages, risking millions of developers and applications.
The malware's persistence and credential theft enable widespread and stealthy propagation in software supply chains.
Supply chain attacks undermine trust in open-source ecosystems critical to modern software development.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: high

Recurring claims

Mini Shai-Hulud malware compromised over 300 npm packages in the AntV ecosystem via a compromised maintainer account
The malware steals GitHub tokens, npm tokens, SSH keys, cloud credentials, and database connection strings and uses CI/CD pipeline identities to publish malicious packages
Mini Shai-Hulud installs persistent backdoors at the OS level that survive common removal attempts

How sources frame it

CyberScoop: neutral

All evidence

All evidence

Mini Shai-Hulud returns, compromising hundreds of npm packages

CyberScoop · cyberscoop.com · 2026-05-19 15:28 UTC

Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

thehackernews · thehackernews.com · 2026-05-19 04:54 UTC

Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account

Snyk Blog · snyk.io · 2026-05-18 23:00 UTC

Leaked Shai-Hulud malware fuels new npm infostealer campaign

BleepingComputer · bleepingcomputer.com · 2026-05-18 17:28 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 4Origin domains: 4Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 4 / 0

Top publishers (this list)

CyberScoop (1)
thehackernews (1)
Snyk Blog (1)
BleepingComputer (1)

Top origin domains (this list)

cyberscoop.com (1)
thehackernews.com (1)
snyk.io (1)
bleepingcomputer.com (1)