Published: · Region: Global · Category: cyber

Malicious npm Campaign Hits Popular AntV and ECharts Packages

On 19 May 2026, researchers disclosed a 'Mini Shai-Hulud' malware campaign that compromised the 'atool' maintainer account on npm, injecting credential-stealing code into AntV-related packages, including 'echarts-for-react' with about 1.1 million weekly downloads. The attack targeted developer environments and CI/CD credentials.

Key Takeaways

Around 04:56–04:57 UTC on 19 May 2026, security researchers revealed that a coordinated malware operation—codenamed "Mini Shai-Hulud"—had infiltrated the npm ecosystem by compromising the "atool" maintainer account. The attackers used this access to push malicious updates to several AntV-related packages, including echarts-for-react, one of the most widely used charting libraries for React applications with an estimated 1.1 million weekly downloads.

The injected code was tailored to exfiltrate credentials and sensitive data from developer machines and CI/CD environments, indicating a focus on penetrating enterprise infrastructure through trusted open-source dependencies.

Background & Context

Npm, the primary package registry for the JavaScript ecosystem, has been a frequent target for supply-chain attacks due to its centrality in modern web and server-side development. By compromising a single widely used package or maintainer, adversaries can quietly reach thousands of downstream applications and organizations.

The "Mini Shai-Hulud" campaign follows a pattern seen in previous npm attacks, where adversaries either gain control of maintainer accounts via credential theft, phishing, or social engineering, or exploit abandoned packages by offering to "help" maintain them. Once access is secured, malicious code can be inserted as a minor version update, often going unnoticed until anomalies are detected.

In this case, targeting AntV-related tools and echarts-for-react is especially impactful, as these libraries are widely used in data visualization dashboards, internal admin tools, and analytics platforms across industries.

Key Players Involved

The key actors include:

Why It Matters

The campaign is significant for several reasons:

  1. High-Volume Distribution: With echarts-for-react alone reportedly delivering around 1.1 million downloads per week, even a short-lived malicious release could impact a broad segment of the JavaScript ecosystem. Many organizations may not have immediate visibility into which microservices or applications rely on the compromised packages.

  2. Credential Theft Focus: By aiming at CI/CD credentials and developer environment secrets, attackers can move laterally into critical systems, including production environments, cloud infrastructure, and internal tooling. Such access can be used for data theft, ransomware deployment, or insertion of additional backdoors.

  3. Trust in Open Source Ecosystems: The incident further stresses the open-source trust model. Enterprises that depend on npm and similar registries must contend with the reality that widely used packages may be compromised at any time, requiring greater emphasis on dependency governance and code auditing.

Regional and Global Implications

This incident has global reach. The affected packages are used worldwide by organizations in finance, e-commerce, SaaS, media, and government. The scale of potential exposure means that follow-on intrusions may be uncovered over weeks or months as compromised credentials are leveraged.

Regulators and industry bodies focused on critical infrastructure and software security will likely cite this case as evidence supporting stricter software supply-chain requirements. This could accelerate adoption of standards around provenance, code signing, and secure development lifecycle (SDLC) practices.

For cloud providers and large technology firms, the attack is a reminder that their customers’ security posture is tied closely to the integrity of shared open-source components, a factor increasingly considered in risk assessments and shared-responsibility models.

Outlook & Way Forward

In the immediate term, organizations must take urgent steps to assess and mitigate exposure:

Npm operators and the broader security community are likely to publish detailed indicators of compromise (IOCs), timelines of malicious versions, and remediation guidance. Security teams should integrate this intelligence into their detection and response workflows.

Over the longer term, this and similar incidents will accelerate the shift toward more rigorous dependency management practices. Likely changes include broader deployment of automated tools to audit dependencies for known malicious versions, stronger MFA and behavioral analytics for maintainer accounts, and increased use of lockfiles and internal registries to control what enters production builds.

The Mini Shai-Hulud campaign also underscores the need for cultural and organizational changes: treating open-source components as critical third-party vendors that require ongoing risk evaluation. As more organizations internalize this mindset, demand for verifiable supply-chain security—such as signed artifacts, reproducible builds, and SBOMs—will grow, reshaping how open-source ecosystems operate and are governed.

Sources

Related Coverage

GLOBAL

Credential-Stealing Supply-Chain Attack Hits Popular VS Code Extension

On 19 May, security researchers reported that version 18.95.0 of the Nx Console VS Code extension, with over 2.2 million installs, had been compromised to run a credential-stealing payload. By around 07:51 UTC, users were urged to update to version 18.100.0 and rotate exposed secrets.
GLOBAL

Compromised GitHub Action Steals CI/CD Secrets in Supply-Chain Attack

On 19 May 2026, security researchers reported that the popular GitHub Action 'actions-cool/issues-helper' was compromised, with all existing tags pointed to a malicious commit designed to exfiltrate CI/CD credentials. The incident highlights continuing supply-chain risks in developer tooling.
GLOBAL

Putin Hails ‘Strategic’ China Ties Ahead of High-Profile Visit

On 19 May, Vladimir Putin praised Russia–China relations as at an “unprecedented” level in a video message released ahead of his visit to China. The trip, noted around 07:45–08:02 UTC, focuses on energy, space, economic cooperation and what Moscow calls a stabilizing global role.
WARNING

NATO Downs Ukrainian Drone as Latvia, Estonia Raise Airspace Alerts

Between 10:30 and 11:00 UTC on 19 May, NATO air policing forces shot down a stray Ukrainian drone over Estonia while Latvia and Estonia issued real-time airspace threat alerts and transport suspensions amid reports of unidentified UAVs. Combined with Russia’s newly announced 2‑day nuclear forces drill with Belarus, these moves raise the risk of escalation and miscalculation along NATO’s eastern flank.
WARNING

Russia Starts Major Nuclear Drill as NATO Downs Ukrainian Drone

Between 10:30–11:00 UTC on 19 May, Russia announced a two-day nuclear forces exercise with Belarus involving 64,000 troops, 140 aircraft and 13 submarines, framed as a response to alleged Ukrainian use of Latvian airspace. In parallel, a NATO Baltic Air Policing jet shot down a stray Ukrainian drone over Estonia’s Lake Võrtsjärv — the first such intercept on Estonian territory — and Latvia/Estonia have issued airspace alerts and halted rail traffic in multiple regions. The convergence of large-scale nuclear signaling and unprecedented NATO–Ukraine friction in the Baltics materially increases miscalculation risk and will raise the geopolitical risk premium in European assets and global energy.
WARNING

NATO Shoots Down Ukrainian Drone Over Estonia; Latvia Issues UAV Alerts

Around 10:30–11:00 UTC on 19 May, a NATO Baltic Air Policing jet shot down a stray Ukrainian drone over Estonia’s Lake Võrtsjärv, the first such intercept over Estonian territory. In parallel, Latvia and Estonia have declared possible airspace threats, sending cell-broadcast shelter alerts and suspending train traffic across multiple eastern regions due to suspected drone activity. The events significantly raise NATO–Russia theater escalation risk and miscalculation potential on the Alliance’s northeastern flank.