The AntV Mini Shai-Hulud wave deserves its own post because it was not just a follow-up mention after TanStack. It was the moment the campaign looked less like a shocking one-off and more like an operational pattern.
This time the attack centered on the compromised npm maintainer account atool and spread across the @antv ecosystem along with related packages such as timeago.js, echarts-for-react, size-sensor, and others.
What happened
Public reporting on May 19, 2026 described hundreds of malicious package versions published in a rapid wave across more than 300 npm packages.
The affected package set was especially important because it touched common frontend and data-visualization tooling rather than obscure throwaway modules. That meant a lot of normal engineering environments could ingest the malware through routine dependency updates.
Researchers described a familiar pattern from Mini Shai-Hulud variants:
- install-time execution
- heavy JavaScript obfuscation
bun-based payload execution- developer and CI secret harvesting
- GitHub API abuse
- credential reuse and republishing logic
The attack also used GitHub-hosted payload and fallback paths, including optional dependency tricks that made the install path harder to reason about from a quick package inspection.
Why this wave mattered
The TanStack compromise proved that a trusted release pipeline could be turned against a real project. The AntV wave proved that the same family of tradecraft could scale outward into a broad npm ecosystem blast radius.
That is the important distinction.
This was not mainly about one famous package namespace being compromised. It was about industrialized reuse of the same attack model across many packages and many developer environments.
Why the blast radius was so large
Several things made the AntV wave especially dangerous:
- the affected packages sat inside normal web and visualization stacks
- the maintainer account had reach into many packages
- install-time execution meant the compromise landed before application runtime
- CI runners and developer laptops often held the exact secrets the malware wanted
Public analysis described theft targets including:
- GitHub tokens
- npm tokens
- AWS credentials
- Kubernetes material
- Vault tokens
- SSH keys
- local developer configs
Some analyses also described fallback exfiltration through attacker-created GitHub repositories and persistence artifacts on developer machines.
Why this was a more mature campaign than basic npm malware
The AntV wave was not interesting because it had obfuscation. Lots of malware has obfuscation.
It was interesting because it behaved like a supply-chain operator, not just a package thief:
- it harvested secrets from developer and CI environments
- it abused trusted developer platforms during exfiltration
- it contained logic for package reinfection and republishing
- it treated package ecosystems as propagation surfaces
That is much closer to a worm model than to classic registry spam.
The implications for engineering teams
The first implication is that npm compromise windows are now measured in minutes, but those minutes are enough when automation installs the poisoned release immediately.
The second implication is that registry trust alone is too weak. By the time a package is flagged, the secrets may already be gone.
The third implication is that package incidents now routinely bleed into workstation and CI security.
What teams should change
1. Add a release-age delay for npm dependencies
This is one of the clearest lessons from repeated Mini Shai-Hulud waves. The newest version is often the least trustworthy version.
2. Reduce install-time code execution where possible
Lifecycle scripts, git-based dependencies, and prepare hooks deserve far more scrutiny than many teams give them.
3. Limit token reach in developer and CI environments
If an install script can access package publish credentials, cloud credentials, and source-control tokens at once, the environment is too permissive.
4. Treat package incidents as credential incidents
Do not stop at deleting node_modules. Rotate what the environment could reach.
Mitigation advice
If your environment installed packages affected by the AntV wave:
- Identify all hosts and CI jobs that resolved compromised versions.
- Rebuild from known-good lockfiles and verified package versions.
- Rotate GitHub, npm, cloud, SSH, and secret-manager credentials reachable from those systems.
- Review developer machines for persistence artifacts and unexpected GitHub repository creation.
- Add cooldown or quarantine controls for newly published npm versions.
Related links
- Socket analysis of the AntV Mini Shai-Hulud wave
- Wiz analysis of the TeamPCP AntV wave
- StepSecurity analysis of the AntV ecosystem attack
- SecurityWeek coverage of the AntV wave
The AntV incident is worth separating from TanStack because it showed what comes after the first headline. Once the tradecraft exists, attackers reuse it across ecosystems fast. That is what makes Mini Shai-Hulud more than a memorable incident name. It is a repeatable operating model.