Shai-Hulud returned with a new supply-chain wave that hit the AntV npm ecosystem on May 19, 2026. Snyk says the incident involved 637 malicious versions across 323 packages tied to a compromised maintainer account, with affected packages representing roughly 16 million weekly downloads [1].
The attack is more serious than a fake-package upload. The affected packages kept their normal library code as cover, then added install-time payloads that looked for developer secrets and cloud credentials. JFrog also tracked the campaign and highlighted related npm and PyPI exposure, including malicious durabletask versions [2].
Why AntV matters
AntV packages are common in dashboards, reporting tools, graph analysis apps, and data-visualization projects. A developer workstation or CI runner that installed a poisoned version during the May 19 window could expose GitHub credentials, npm publishing paths, cloud tokens, and environment secrets.
This is the same Shai-Hulud pattern Gridinsoft covered in the Mini Shai-Hulud TanStack incident, but the AntV wave shows the campaign is still adapting. Valid package names and normal library code are used as cover while install scripts do the damage.
What to check first
- Lockfiles and package manifests for AntV-related versions published around May 19, 2026.
- Unexpected
preinstallor install-time scripts in package tarballs. - Optional dependencies that pull code directly from GitHub commits.
- Developer machines and CI runners that ran
npm installduring the exposure window. - Unexpected GitHub repositories, workflow files, package publishes, or token use after exposure.
Response order matters
Snyk’s remediation guidance warns that teams should remove persistence before revoking tokens, because the payload can include token-monitoring behavior. In other words, do not only rotate secrets and assume the machine is clean. First isolate affected hosts, stop malicious processes, remove persistence, reinstall clean dependencies, and then rotate credentials from a trusted environment.
JFrog also highlights GitHub optional-dependency delivery as a risk because direct registry inspection can miss the payload boundary. That means responders should review both npm package metadata and GitHub-sourced dependencies resolved during installation.
What to rotate
Rotate GitHub tokens, npm tokens, cloud provider keys, CI/CD secrets, and any credentials exposed to affected runners. Review package publishing history for projects the compromised identity could reach. Do not rely on valid provenance alone: a compromised workflow can still produce legitimate-looking signing evidence while running attacker-controlled code.
Related: the same trust problem now extends beyond package registries; GitHub later confirmed that a poisoned VS Code extension exposed internal repositories, showing why developer workstations need the same scrutiny as CI pipelines.
References
- Snyk, “Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account,” May 19, 2026. Report
- JFrog Security Research, “Shai-Hulud Returns: npm Worm hits @antv in latest ongoing campaign,” May 19, 2026. Analysis
Related release-control update: npm later added staged publishing and install-source controls, which are useful safeguards for teams reviewing package releases after npm supply-chain waves.
