The world’s largest open-source registry, node package manager (npm), has been hit by another fast-moving malware attack, this time targeting the widely-used AntV enterprise data visualization tool.
Unlike last week’s high-profile npm attack on TanStack, which exploited a complex GitHub Actions cache poisoning weakness, the latest incident early on May 19 took the more conventional route of compromising the credentials of a high-value npm maintainer account.
According to analysis by SafeDep, the account in question, atool ([email protected]), which publishes the timeago.js JavaScript library, had rights to a large catalog of packages, including popular tools such as size-sensor (4.2 million downloads per month), echarts-for-react (3.8 million), @antv/scale (2.2 million), and timeago.js (1.15 million).
This privilege level allowed the attacker to publish at least 637 malicious versions across 317 different npm packages in a single 22-minute burst. This resulted in the compromise of a big chunk of Alibaba’s AntV namespace, a growing platform across Asia, the US, and Europe used to build dashboards, user interfaces, and interactive applications.
Attacks on the npm supply chain this year plot a challenging trend, said Aikido Security in its analysis. “This is the third major wave we have tracked. It went from a handful of SAP packages in April, to 169 packages in the TanStack wave, to a much larger set of packages now. Each wave has been faster and broader than the last.”
“Here We Go Again”
Anyone unlucky enough to be infected by one of the malicious packages will find themselves on the receiving end of the potent Mini-Shai-Hulud worm, the source code for which was recently briefly released to other criminals on GitHub.
Its purpose is to steal npm and GitHub tokens, as well as credentials from 130 file paths, including multiple cloud platforms, Kubernetes, Docker, Hashicorp, password vaults, SSH keys, and Bitcoin wallets.
For unknown reasons, the attackers then use stolen CI/CD tokens to store exfiltrated data in public GitHub repositories themed on the science fiction novel Dune, which, within hours of this attack, grew to 2,500 in number. Each repository description contains the string “niagA oG eW ereH :duluH-iahS” (“Shai-Hulud: Here We Go Again” backwards).
In theory, the malware is also capable of persistence via a Python-based backdoor installed at ~/.local/share/kitty/cat.py, although according to security company Wiz, this function doesn’t yet seem to be active.
The group behind the campaign, TeamPCP, doesn’t lack for ambition: the malware even tries to modify Claude Code’s settings.json, which allows the malware to be stealthily reinstated with full LLM privileges in case the infected npm packages have been removed.
Next steps
After the attack was detected, AntV’s maintainers issued the following warning on GitHub:
“Due to the impact of an external worm attack, AntV-related npm packages have been compromised. The infected packages have been deleted, while the remaining ones have been marked as deprecated,” it read. “Users are advised to carefully identify and download the latest versions. AntV is actively contacting the npm registry to have the deprecated packages removed.”
In other words, while malicious versions have been deleted, remaining packages should be treated with extreme caution, providing an incentive for developers to audit and move to known safe versions.
Because the attack infected multiple versions of the same library, establishing a known safe version will be perilous. Developers can consult a list of compromised packages (published by SafeDep as a .csv), although it’s safe to assume that if any version of the AntV library is in use, infection is a possibility.
Beyond that, recommended actions are to look for signs of compromise in CI/CD environments and repositories, and to rotate all credentials.
But the most important advice from experts is much simpler: strengthen defenses against future attacks targeting npm by improving monitoring and package verification.
This article originally appeared on InfoWorld.