Active Supply Chain Attack Compromises @antv Packages on npm

What Happened

A major cyberattack has compromised hundreds of popular software building blocks (npm packages), particularly those used for data visualization like @antv. When developers install these compromised packages, hidden malicious code runs automatically to steal sensitive passwords and access tokens from their computers and automated building systems. This matters because the stolen credentials can be used to breach company networks or spread the infection to even more software packages. Organizations should immediately check if they are using the affected packages, revoke any potentially exposed passwords or tokens, and monitor their systems for unauthorized access.

Key Takeaways

• A massive supply chain attack compromised hundreds of npm packages, primarily in the @antv ecosystem, via the compromised maintainer account 'atool'.
• The malicious payload, a variant of Mini Shai-Hulud, executes during package installation to harvest developer and CI/CD secrets.
• Exfiltration occurs via a hardcoded HTTPS endpoint (t[.]m-kosche[.]com) with AES-256-GCM encryption, or via a GitHub repository creation fallback mechanism.
• The malware contains worm-like capabilities, using stolen npm tokens to infect and republish other packages accessible to the victim.

Affected Systems

• Developer workstations
• CI/CD environments (GitHub Actions, GitLab CI, Jenkins, AWS CodeBuild, etc.)
• npm package registries

Attack Chain

The attacker compromised the npm maintainer account 'atool' to publish malicious updates to hundreds of packages, primarily in the @antv ecosystem. Upon installation, an obfuscated index.js payload executes via package lifecycle scripts to harvest developer and CI/CD secrets. The stolen data is encrypted and exfiltrated to a hardcoded HTTPS endpoint, with a fallback mechanism that creates Dune-themed GitHub repositories to store the data. Finally, the malware uses stolen npm tokens to infect and republish other packages accessible to the victim, propagating the infection worm-style.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article provides network indicators, GitHub repository markers, and a list of targeted secrets, but does not provide ready-to-use detection rules.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can monitor process executions and file modifications during npm installs, but may struggle to inspect heavily obfuscated JavaScript executing entirely within the Node.js runtime. Network Visibility: High — The primary C2 endpoint is a hardcoded domain, and the fallback uses the GitHub API, making network monitoring highly effective for detecting exfiltration. Detection Difficulty: Moderate — While the static C2 domain is easy to block, the payload is obfuscated and executes during routine developer activities, making behavioral detection challenging without context.

Required Log Sources

• Network Flow Logs
• DNS Query Logs
• Process Creation Logs
• File Creation Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unexpected network connections to t[.]m-kosche[.]com originating from developer workstations or CI/CD build nodes.	Network Flow Logs, DNS Query Logs	Exfiltration	Low
Consider hunting for Node.js processes (npm/yarn/pnpm) making unexpected outbound connections to GitHub API endpoints or npm registry APIs outside of standard package resolution.	Process Network Connections	Credential Access / Exfiltration	Medium
If you have visibility into GitHub enterprise audit logs, consider hunting for the sudden creation of repositories matching the pattern <word>-<word>-<digits> or containing the specific reversed marker strings.	GitHub Audit Logs	Exfiltration	Low

Control Gaps

• Lack of egress filtering on CI/CD nodes
• Insufficient monitoring of developer workstation network traffic
• Blind trust in popular npm packages without provenance checks

Key Behavioral Indicators

• npm install processes spawning network connections to unknown domains
• Creation of GitHub repositories with Dune-themed names and specific marker descriptions
• Unexpected access to AWS, K8s, or Vault credential files by Node.js processes

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Identify and isolate any developer workstations or CI/CD environments that have installed the affected @antv or related packages (e.g., echarts-for-react) since the compromise date.
• Revoke and rotate any credentials, tokens, or keys (GitHub, npm, AWS, K8s, Vault) that were present on systems where the compromised packages were installed.
• Block outbound network traffic to the known C2 domain t[.]m-kosche[.]com.

Infrastructure Hardening

• Consider implementing strict egress filtering on CI/CD build nodes to only allow connections to approved package registries and necessary services.
• Evaluate the use of local package proxies or mirrors with malware scanning capabilities to intercept malicious packages before they reach developers.

User Protection

• If supported by your tooling, enforce the use of lockfiles (package-lock.json) and exact version pinning to prevent automatic updates to compromised versions.
• Consider utilizing tools that analyze package dependencies for known vulnerabilities and malicious behavior during the CI/CD pipeline.

Security Awareness

• Educate developers on the risks of supply chain attacks and the importance of reviewing package changes and maintainer alerts.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1552.001 - Credentials from Password Stores: Credentials In Files
• T1552.004 - Credentials from Password Stores: Private Keys
• T1027 - Obfuscated Files or Information
• T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1078.004 - Valid Accounts: Cloud Accounts

Additional IOCs

• File Paths:
  • results/ - Directory created in fallback GitHub repositories to store exfiltrated data
• Other:
  • niagA oG eW ereH :duluH-iahS - Reversed marker string used in GitHub repository descriptions for fallback exfiltration
  • niaga og ew ereh :duluh-iahs - Lowercase reversed marker string used in GitHub repository descriptions
  • Shai-Hulud: Here We Go Again - Decoded marker string used in GitHub repository descriptions
  • fc2edea72 - Custom decryptor exposed through globalThis in the obfuscated payload
  • pocketwater/ghola-navigator-873 - GitHub repository used for fallback exfiltration (observed in image)
  • pocketwater/siridar-slig-102 - GitHub repository used for fallback exfiltration (observed in image)
  • pocketwater/harkonnen-stillsuit-318 - GitHub repository used for fallback exfiltration (observed in image)
  • pocketwater/fedaykin-heighliner-376 - GitHub repository used for fallback exfiltration (observed in image)
  • pocketwater/powindah-cogitor-145 - GitHub repository used for fallback exfiltration (observed in image)
  • pocketwater/atreides-fedaykin-333 - GitHub repository used for fallback exfiltration (observed in image)