Best crypto insights delivered straight to your inbox.
Mini Shai-Hulud worm hijacks 323 npm packages under 30 minutes through a single stolen account
- The Mini Shai-Hulud worm compromised 323 npm packages through the hijacked “atool” account on May 19, publishing 639 malicious versions.
- Affected packages include echarts-for-react (1.1M weekly downloads), size-sensor (4.2M), and Alibaba’s entire @antv data visualization ecosystem.
- The broader campaign has now hit 1,055 versions across 502 packages spanning npm, PyPI, and Composer registries.
On May 19, the Mini Shai-Hulud worm compromised one npm maintainer account and pushed 639 malicious versions across 323 packages in under 30 minutes.
The compromised account, “atool” ([email protected]), publishes Alibaba’s entire @antv data visualization stack alongside standalone libraries used in crypto dashboards, DeFi front ends, and fintech applications.
The highest-traffic targets: size-sensor at 4.2 million weekly downloads, echarts-for-react at 1.1 million, @antv/scale at 2.2 million, and timeago.js at 1.15 million.
Projects using semver ranges like ^3.0.6 for echarts-for-react auto-resolved to the malicious version 3.2.7 on the next clean install. The maintainer closed GitHub security warnings within an hour, burying them in closed issues.
What the payload steals and how it persists
The malware harvests more than 20 credential types: AWS keys via EC2 and ECS metadata, Google Cloud and Azure tokens, GitHub and npm tokens, SSH keys, Kubernetes service accounts, HashiCorp Vault secrets, Stripe API keys, database connection strings, and local password vaults from 1Password and Bitwarden, per Socket.dev.
Exfiltration runs through two channels. Stolen credentials are encrypted with AES-256-GCM and sent to a command-and-control server.
As a fallback, the worm uses compromised GitHub tokens to create public repositories with Dune-themed names like sardaukar-melange-742 or fremen-sandworm-315, then commits the stolen data as files. StepSecurity reported over 2,500 GitHub repositories already contain indicators tied to the campaign.
Additionally, the worm uses encryption on the stolen data in OpenTelemetry traces transferred via HTTPS. On Linux-based machines, it sets up a systemd user service which is capable of fetching instructions from GitHub even after the package has been removed.
The worm modifies .vscode and .claude configuration files to ensure reactivation in development environments.
The campaign keeps growing
This is the third wave. As Cryptopolitan reported in January, the original Shai-Hulud variant hit Trust Wallet’s npm packages and caused $8.5 million in losses. The second wave struck Mistral AI, TanStack, UiPath, and Guardrails AI on May 11.
Socket has been able to identify 1,055 compromised versions in total within 502 distinct packages through npm, PyPI, and Composer.
The threat group behind the campaign, TeamPCP, has promoted its tooling on underground hacking forums, according to Datadog researchers. Copycat versions have emerged that use different command-and-control servers, making attribution difficult.
SlowMist CEO 23pds said any environment that installed affected versions should be treated as fully compromised.
Some recommended actions include revoking all access tokens, rotating credentials for AWS, GitHub, npm, and cloud providers, implementing multi-factor authentication for account publishing, and reviewing any suspicious activity within repositories.
The smartest crypto minds already read our newsletter. Want in? Join them.
FAQs
What is Mini Shai-Hulud?
Mini Shai-Hulud is a self-replicating malware campaign attributed to a financially motivated group called TeamPCP that spreads through compromised npm packages, stealing developer credentials and using them to publish further poisoned package versions under legitimate maintainer identities.
Which npm packages were affected?
The May 19 wave compromised 323 packages and 639 versions tied to the npm account "atool," including echarts-for-react (roughly 1.1 million weekly downloads), Alibaba's @antv data visualization suite, timeago.js, and size-sensor, according to SafeDep and Socket research.
What should developers do if they installed an affected package?
Security researchers recommend treating the machine or CI runner as fully compromised: rotate all credentials (AWS, GitHub, npm, SSH, database), enable two-factor authentication, audit GitHub for unauthorized repositories matching the campaign's naming pattern, and remove persistent backdoors from developer tool configuration files such as `.vscode/tasks.json` and `.claude/settings.json`.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Micah Abiodun
Micah Abiodun makes good use of his Environmental Engineering and Management (MSc) at Tallinn University of Technology (TalTech) to polish content and price prediction news at Cryptopolitan. Now on his 7th year in the crypto media space, he covers major cryptos, altcoins, DeFi, stablecoins, macro trends, and emerging tech.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)