{
  "name": "Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft",
  "slug": "mini-shai-hulud-compromised-antv-npm-packages-enable-cicd-credential-theft",
  "description": "Microsoft identified an active supply chain attack targeting the @antv npm package ecosystem. A threat actor compromised an @antv maintainer account and published malicious versions of widely used data-visualization packages, affecting libraries like echarts-for-react with over 1 million weekly downloads. The attack propagates through dependency chains into CI/CD pipelines and cloud workloads. A 499 KB obfuscated JavaScript payload executes silently during npm install, specifically designed to steal credentials from GitHub Actions environments. Key capabilities include multi-platform credential theft (GitHub, AWS, HashiCorp Vault, npm, Kubernetes, 1Password), GitHub Action Runner process memory scraping, privilege escalation, dual-channel data exfiltration, and SLSA provenance forgery. The payload targets CI/CD environments deliberately, with over 2,200 compromised repositories observed. GitHub responded by removing 640 malicious packages and invalidating 61,274 npm tokens.",
  "published": "2026-05-20T22:36:01.815000+00:00",
  "created_at": "2026-05-21T16:49:52.248000+00:00",
  "modified_at": "2026-05-21T14:49:52+00:00",
  "created_at_opencti": "2026-05-21T16:49:52.248000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "ci/cd",
    "credential theft",
    "data exfiltration",
    "github actions",
    "npm",
    "obfuscation",
    "privilege escalation",
    "supply chain attack"
  ],
  "tags": [
    "2026-05-20",
    "ci/cd",
    "credential-theft",
    "data exfiltration",
    "github actions",
    "npm",
    "obfuscation",
    "privilege-escalation",
    "supply chain attack"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "0490a526-69b8-4c74-8937-3a17e3eb9759",
        "name": "a8269c01069452afb8a54de904e6419578d155fdbdb9e566bab8576a4266b61e"
      },
      {
        "id": "9bbc5e9b-de46-461b-9315-d88690b031d3",
        "name": "a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c"
      },
      {
        "id": "47e8c252-3fb7-4bff-bf35-c1075e376c65",
        "name": "fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142"
      },
      {
        "id": "5ba74648-92fe-4f9a-87b8-dfb3abf62f71",
        "name": "http://t.m-kosche.com:443"
      },
      {
        "id": "2600d2ae-9da7-4edd-82d3-1ac16c834390",
        "name": "t.m-kosche.com"
      }
    ],
    "attack_patterns": [
      {
        "id": "a706defa-5a99-4a26-b1be-ac6c1fc20b92",
        "name": "T1562.006"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "0ad4aa5d-89be-4f99-ad60-5bf7c2463044",
        "name": "T1069.003"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664",
        "name": "T1068"
      },
      {
        "id": "9f21708c-24b6-46b5-bf7e-522256e8470c",
        "name": "T1552.004"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "14e5fcd9-c0ff-44f0-8430-d8942ebb832e",
        "name": "T1567.002"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4",
        "name": "T1195.002"
      },
      {
        "id": "0b534d7b-0850-41a7-9bc5-f2e6162eea42",
        "name": "T1195.001"
      },
      {
        "id": "41ad5d62-aa6a-47d6-a9a9-fb2209601099",
        "name": "T1098"
      },
      {
        "id": "ee82762a-2958-4901-aade-341277d9b410",
        "name": "T1078.004"
      },
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "4804e5ac-a5df-496d-899f-3664ea857672",
        "name": "T1548.003"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "7c497590-4975-4cec-b8c6-e94966b6e9c3",
        "name": "T1087.004"
      },
      {
        "id": "b5b8a750-44c3-455d-8b8c-a29ae078f148",
        "name": "T1098.001"
      }
    ],
    "observables": [
      {
        "id": "ae42567b-6f98-49a9-8c46-3110f439aa6c",
        "name": "t.m-kosche.com"
      },
      {
        "id": "efae712a-5648-40d4-a1fb-971fcde47511",
        "name": "http://t.m-kosche.com:443"
      },
      {
        "id": "",
        "name": "a8269c01069452afb8a54de904e6419578d155fdbdb9e566bab8576a4266b61e"
      },
      {
        "id": "",
        "name": "a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c"
      },
      {
        "id": "",
        "name": "fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "t.m-kosche.com"
      }
    ]
  },
  "external_refs": [
    {
      "id": "41c3b029-62cc-4041-8821-3d722662d006",
      "standard_id": "external-reference--1099a6c1-70f2-5770-b44d-2fd0a9f140ba",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/",
      "hash": null,
      "external_id": null,
      "created": "2026-05-21T16:49:52.189Z",
      "modified": "2026-05-21T16:49:52.189Z",
      "createdById": null
    },
    {
      "id": "74d7132e-a184-496f-8d1e-0a00fb8f98c4",
      "standard_id": "external-reference--d8c32b89-e149-5fa5-ab79-6283544a54a2",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a0e3751a23f1487cbb26ac5",
      "hash": null,
      "external_id": "6a0e3751a23f1487cbb26ac5",
      "created": "2026-05-21T16:49:52.141Z",
      "modified": "2026-05-21T16:49:52.141Z",
      "createdById": null
    }
  ]
}