MINI SHAI-HULUD
A coordinated npm supply chain attack that compromised 314 packages through the hijacked atool maintainer account. 637 malicious versions were published in two automated waves on May 19, 2026, exploiting semver range resolution to reach projects using ^ or ~ version ranges.
High-impact packages include size-sensor (4.2M/mo), echarts-for-react (3.8M/mo), @antv/scale (2.2M/mo), and timeago.js (1.15M/mo).
- Harvests 80+ env vars — AWS, GCP, Azure, GitHub PATs, npm tokens, SSH keys, Vault tokens, K8s service accounts.
- Exfiltrates via GitHub API (public repos with Dune-themed names) and HTTPS POST disguised as OpenTelemetry traces to
t.m-kosche[.]com. - Installs persistent
systemd/LaunchAgentdaemons with GitHub dead-drop C2 via commit search API. - Hijacks AI agents — injects
.claude/settings.jsonSessionStart hooks and.vscode/tasks.jsonfolderOpentasks. - CI/CD injection — steals secrets via GitHub Actions workflow injection, exchanges OIDC tokens for npm publish rights.
- Lockfile entries for packages published by
atoolon2026-05-19between 01:39–02:06 UTC. preinstallscript:bun run index.jsin any of the 314 packages.- Files:
.claude/setup.mjs,~/.local/share/kitty/cat.py,/var/tmp/.gh_update_state. - Outbound requests to
169.254.169.254(IMDS) ort.m-kosche[.]com. - Systemd service:
kitty-monitor.service. macOS:com.user.kitty-monitor.plist. - Payload SHA256:
a68dd1e6a6e35ec3...390dfa1c
- SafeDep — Mini Shai-Hulud Strikes Again — original write-up
- Full list of 314 compromised packages
A project is likely affected if any of these is true:
- Your
package-lock.jsonorpnpm-lock.yamlcontains any of the 314 compromised packages with versions published on 2026-05-19. - You depend on
@antv/*packages (200+ in the@antvscope were compromised). - You use
size-sensor,echarts-for-react,timeago.js, orjest-canvas-mockwith semver ranges (^or~). - CI/CD ran
npm installwithout a lockfile between 01:39 and 02:06 UTC on May 19.
The @swamp/cve/mini-shai-hulud extension scans your lockfile against the full list of 314 compromised packages and flags any matching versions.
Install swamp:
$ curl -fsSL https://swamp-club.com/install.sh | shInitialize a new repo (run this in a new empty directory):
$ swamp repo initPull the scanner:
$ swamp extension pull @swamp/cve/mini-shai-huludPoint the lockfile-check method at your package-lock.json or pnpm-lock.yaml and it checks every resolved version against the known compromised list:
swamp model @swamp/cve/mini-shai-hulud method run scan \
lockfile-check \
--input lockfilePath=./package-lock.json| Package | Version | Status | | -------------------- | -------- | ----------- | | @antv/g2 | 5.5.8 | COMPROMISED | | lodash | 4.17.21 | clean | | size-sensor | 1.0.4 | COMPROMISED | | zod | 4.3.6 | clean | --- ## VULNERABLE **2** of **4** package(s) compromised in the May 2026 Mini Shai-Hulud attack.
If the scan finds compromised packages, take these steps immediately:
- 1.Pin to known-good versions. Replace compromised versions in your lockfile with the last version published before May 19, 2026 01:39 UTC. Then
rm -rf node_modules && npm ci. - 2.Rotate all credentials. The payload harvests AWS keys, GitHub PATs, npm tokens, SSH keys, Vault tokens, and K8s service accounts. Assume anything in your environment was exfiltrated.
- 3.Check for persistence. Look for
.claude/settings.jsonwith SessionStart hooks,.vscode/tasks.jsonwithfolderOpentasks,kitty-monitor.service(systemd), andcom.user.kitty-monitor.plist(macOS). - 4.Block the C2 endpoint. Add
t.m-kosche[.]comto your DNS blocklist or firewall rules. - 5.Audit CI/CD pipelines. Check for injected
.github/workflows/codeql.ymlfiles and unauthorized npm OIDC token exchanges. Review Sigstore transparency logs for artifacts signed by compromised CI identities. - 6.Search GitHub for exfil repos. The payload creates public repos with Dune-themed names (e.g.
harkonnen-melange-742) containing stolen data as Git objects.