Cybersecurity researchers have identified a massive software supply chain attack involving the Mini Shai-Hulud campaign, which compromised hundreds of npm packages to steal credentials from developer environments.

Key Points

• The attack compromised 323 npm packages, including widely used @antv data visualization tools and the echarts-for-react wrapper.
• Threat actors published 639 malicious versions in a 22-minute burst, embedding credential-stealing payloads that harvest data from AWS, Azure, GitHub, and Kubernetes.
• The malware uses stolen tokens to automate self-propagation, creating over 2,500 malicious GitHub repositories and injecting preinstall hooks into legitimate software.
• Attackers are utilizing advanced techniques, including Sigstore attestation forgery, to make malicious packages appear as legitimate, verified releases.
• The campaign is linked to the group TeamPCP, which recently open-sourced the framework, leading to copycat attacks by other threat actors.

Why it Matters

This incident highlights a critical vulnerability in modern software development where automated CI/CD pipelines can be weaponized to distribute malware at scale. Because the attack targets trusted dependencies, organizations face significant downstream risks, including the potential for widespread credential theft and unauthorized access to cloud infrastructure.