Massive npm Supply Chain Attack Hits AntV Data Viz Tool — 317 Packages Compromised in 22 Minutes
Breaking: AntV Data Visualization Tool Hit by Fast-Moving npm Supply Chain Attack
Another major supply chain attack has struck the npm registry, compromising the popular AntV enterprise data visualization tool. Attackers published 637 malicious versions across 317 packages in just 22 minutes early on May 19, according to security firm SafeDep.
The incident targeted Alibaba’s AntV namespace, used globally for building dashboards, user interfaces, and interactive applications. It is the third and largest wave in a series of increasingly fast and broad npm attacks this year.
How the Attack Unfolded
Unlike last week’s high-profile TanStack attack that exploited GitHub Actions cache poisoning, this breach relied on compromised credentials of a high-value npm maintainer account. The account atool (email: i@hust.cc), which publishes the timeago.js library, had access to a vast catalog of packages.
SafeDep’s analysis reveals that atool maintained privileges for popular tools including size-sensor (4.2 million monthly downloads), echarts-for-react (3.8 million), @antv/scale (2.2 million), and timeago.js (1.15 million). This access enabled the attacker to rapidly deploy malicious versions across the entire AntV ecosystem.
‘Here We Go Again’ — The Mini-Shai-Hulud Worm
Anyone who installed a compromised package would be infected with the Mini-Shai-Hulud worm, whose source code was briefly released on GitHub. The malware steals npm and GitHub tokens, plus credentials from 130 file paths covering cloud platforms, Kubernetes, Docker, HashiCorp vaults, password managers, SSH keys, and Bitcoin wallets.
For reasons still unclear, attackers use stolen CI/CD tokens to store exfiltrated data in public GitHub repositories themed on the science fiction novel Dune. Within hours, those repositories grew to 2,500, each with a description containing the reversed string “niagA oG eW ereH :duluH-iahS” (“Shai-Hulud: Here We Go Again” backwards).
The malware also attempts to persist via a Python-based backdoor at ~/.local/share/kitty/cat.py, though security company Wiz reports the function is not yet active. The attackers, known as TeamPCP, even try to modify Claude Code’s settings.json to stealthily reinstate the malware with full LLM privileges after package removal.
Quotes from Experts
“This is the third major wave we have tracked. It went from a handful of SAP packages in April, to 169 packages in the TanStack wave, to a much larger set of packages now. Each wave has been faster and broader than the last,” said Aikido Security in its analysis.
SafeDep’s research team added: “The compromise of a single high-value maintainer account allowed attackers to rapidly pivot through 317 packages. The speed and scale indicate a well-organized campaign, not a random exploit.”
Background: A Troubling Trend in npm Security
npm is the world’s largest open-source registry, hosting millions of packages used by developers globally. Supply chain attacks have become a persistent threat, with attackers targeting maintainer accounts or exploiting CI/CD pipelines.
Earlier waves this year include a small SAP package compromise in April and the TanStack attack on May 13. The TanStack incident exploited a GitHub Actions cache poisoning vulnerability. In contrast, the AntV attack relied on classic credential theft, making it both simpler and more widespread.
AntV is an Alibaba-backed data visualization library with substantial adoption in Asia, the US, and Europe. The compromised packages affect applications in dashboards, UI components, and interactive data tools.
What This Means for Developers and Organizations
This attack underscores the vulnerability of even well-maintained, popular npm packages. Developers who use AntV, timeago.js, or any of the affected packages should immediately audit their dependencies and check for malicious versions.
The speed of the attack — 637 malicious versions in 22 minutes — makes manual detection nearly impossible. Automated security scanning tools are essential. Furthermore, the multi-vector theft of credentials (npm, GitHub, cloud, Kubernetes, wallets) means a single infected package can cascade into a full infrastructure compromise.
Organizations should enforce strict package provenance checks, limit maintainer account permissions, and implement runtime monitoring for anomalous behavior like the creation of thousands of public repositories.
Immediate Steps to Take
- Scan your project’s package-lock.json for any of the 317 compromised packages listed by SafeDep.
- Revoke all tokens stored in CI/CD environments that may have been exposed.
- Review GitHub repositories for suspicious public repos named after Dune themes — a hallmark of this campaign.
- Monitor for unauthorized access to cloud platforms, Kubernetes clusters, and password managers.
AntV maintainers have issued a warning on GitHub: “Due to the impact of an external worm attack, some packages have been compromised. We are working with npm security and SafeDep to remove malicious versions. Please update to the latest clean versions.”
Internal Resources for Further Reading
Related Articles
- AMD Unveils Instinct MI350P: PCIe Version Delivers Open-Source AI Compute to Existing Servers
- 7 Key Insights on How GitHub Uses eBPF to Bulletproof Deployments
- Gowanus Canal's $4 Billion Rebirth: Superfund Site Unveils Stunning Waterfront Parks Amid Pollution Cleanup
- How to Successfully Open-Source Your Internal Tool and Transfer It to a Foundation: Lessons from Block and Goose
- How to Contribute to the Newly Open-Sourced Warp Terminal Using AI Agents
- Rust Project Welcomes 13 Accepted Projects for Google Summer of Code 2026
- Enhancing Deployment Reliability at GitHub with eBPF
- How GitHub Uses Continuous AI to Make Accessibility Feedback Actionable