Feed
CriticalPublished 19 May 2026Updated 21 May 2026298 packages · 599 versions

@antv maintainer takeover (atool) — Mini Shai-Hulud burst across ~300 packages

Summary

On 2026-05-19 the compromised npm publisher atool (Alibaba / AntV co-maintainer) pushed an automated burst of 639 malicious versions across 323 unique packages — the entire @antv visualization suite plus widely-used unscoped libraries including echarts-for-react, size-sensor, and timeago.js (>15M combined monthly downloads). Each release adds a preinstall: bun run index.js hook running the Mini Shai-Hulud credential-stealer. Attributed to TeamPCP.

wormcredential-theftci-cd-compromisemaintainer-takeoverobfuscation
Threat actor
TeamPCP
Detected by
Socket · JFrog · Microsoft · Aikido · OX Security · Snyk · SafeDep
Also known as
Mini Shai-Hulud · AntV burst
Ecosystems
npm
Packages tracked
298

What happened

On 2026-05-19 between 01:39 and 02:06 UTC, the npm publisher account atool (an Alibaba / AntV co-maintainer) was compromised and used as the launch point for an automated burst of malicious releases. Socket telemetry continued seeing publishes through ~02:56 UTC; detections fired until ~03:09 UTC. After reconciliation across Socket, JFrog Security Research, Aikido, OX Security, Snyk, GBHackers, The Hacker News, BleepingComputer, and Microsoft Threat Intelligence, the final tally is 639 malicious versions across 323 unique packages — up from the initial 598+/297+ estimate.

Affected scope spans the entire @antv visualization suite (g-*, g2-*, g6-*, x6-*, l7-*, s2-*, f2-*/f-*, dipper-*, gi-assets-*, li-*, and ~120 other @antv/* packages), @lint-md/*, smaller scopes (@starmind/*, @openclaw-cn/*), plus unscoped high-traffic packages including echarts-for-react (3.0.7 / 3.1.7 / 3.2.7 — 1.1M weekly downloads), size-sensor (1.0.4 / 1.1.4 / 1.2.4 — 4.2M monthly), timeago.js (4.1.2 / 4.2.2 — 1.15M monthly), jest-canvas-mock, jest-date-mock, canvas-nest.js, mcp-echarts, and mcp-mermaid. Combined estimated exposure on the unscoped packages alone exceeds 15M monthly downloads.

Each compromised release adds a preinstall: bun run index.js hook; 597 of 598 versions also inject an optionalDependencies entry pointing at imposter commits in antvis/G2 that deliver a second copy of the payload — a novel persistence vector that survives npm rebuild and resists lockfile-only audits. The payload is a 498KB obfuscated Bun script matching the Mini Shai-Hulud toolkit used in the SAP / @cap-js (April 2026), TanStack (May 11), and same-day durabletask PyPI compromises — same scanner architecture, same credential regex set, same obfuscation pattern. Attribution to TeamPCP is consistent across Socket, The Hacker News, SafeDep, and JFrog.

A novel capability in this wave: the payload can generate valid Sigstore provenance attestations by abusing OIDC tokens harvested from compromised CI runners, allowing the malicious packages to pass standard provenance verification despite carrying credential-stealing malware.

  • Payload SHA-256 (Microsoft): a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c
  • Backdoor Python script SHA-256 (Microsoft): fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142
  • GitHub force-removed all 640 malicious package versions and invalidated 61,274 npm granular access tokens that carried write permission with 2FA bypass.
  • Stealer scope: AWS / GCP / Azure (metadata + env), GitHub PATs + npm publish tokens, Kubernetes service-account tokens and kubeconfig, HashiCorp Vault tokens, Stripe keys, database connection strings, SSH keys, .env and .env.* secrets, plus a Docker host-socket container-escape attempt.

The cleanest known version per package is always the one immediately preceding the malicious pair (e.g. @antv/g2@5.4.8, @antv/g6@5.1.1, echarts-for-react@3.0.6, size-sensor@1.0.3, timeago.js@4.0.2).

Affected packages (298)

  • npm@antv/a8
    0.1.10.2.1
  • npm@antv/adjust
    0.3.50.4.5
  • npm@antv/algorithm
    0.2.260.3.26
  • npm@antv/async-hook
    2.3.92.4.9
  • npm@antv/attr
    0.4.50.5.5
  • npm@antv/ava
    3.5.13.6.1
  • npm@antv/ava-react
    3.4.23.5.2
  • npm@antv/awards
    0.1.90.2.9
  • npm@antv/calendar-heatmap
    1.2.21.3.2
  • npm@antv/chart-linter
    1.2.61.3.6
  • npm@antv/chart-node-g6
    0.1.40.2.4
  • npm@antv/chart-visualization-skills
    0.2.30.3.3
  • npm@antv/ckb
    2.1.42.2.4
  • npm@antv/color-schema
    0.3.30.4.3
  • npm@antv/color-util
    2.1.62.2.6
  • npm@antv/component
    2.2.112.3.11
  • npm@antv/coord
    0.5.70.6.7
  • npm@antv/d3-color
    1.1.01.2.0
  • npm@antv/d3-interpolate
    1.1.31.2.3
  • npm@antv/data-samples
    1.1.11.2.1
  • npm@antv/data-set
    0.12.80.13.8
  • npm@antv/data-wizard
    2.1.42.2.4
  • npm@antv/dipper-component
    0.1.40.2.4
  • npm@antv/dipper-hooks
    0.3.10.4.1
  • npm@antv/dipper-map
    1.1.101.2.10
  • npm@antv/dom-util
    2.1.42.2.4
  • npm@antv/dumi-theme-antv
    0.9.40.10.4
  • npm@antv/dw-analyzer
    1.2.51.3.5
  • npm@antv/dw-random
    1.2.71.3.7
  • npm@antv/dw-transform
    1.2.71.3.7
  • npm@antv/dw-util
    1.2.41.3.4
  • npm@antv/event-emitter
    0.2.30.3.3
  • npm@antv/expr
    1.1.21.2.2
  • npm@antv/f-charts
    0.1.00.2.0
  • npm@antv/f-engine
    1.11.01.12.0
  • npm@antv/f-lottie
    1.11.01.12.0
  • npm@antv/f-my
    1.11.01.12.0
  • npm@antv/f-react
    1.11.01.12.0
  • npm@antv/f-test-utils
    1.1.91.2.9
  • npm@antv/f-vue
    1.11.01.12.0
  • npm@antv/f-wx
    1.11.01.12.0
  • npm@antv/f2
    5.15.05.16.0
  • npm@antv/f2-algorithm
    5.8.05.9.0
  • npm@antv/f2-canvas
    1.1.51.2.5
  • npm@antv/f2-context
    0.1.10.2.1
  • npm@antv/f2-graphic
    0.1.160.2.16
  • npm@antv/f2-my
    4.1.524.2.52
  • npm@antv/f2-react
    5.15.05.16.0
  • npm@antv/f2-site
    4.1.424.2.42
  • npm@antv/f2-vue
    4.1.334.2.33
  • npm@antv/f2-wordcloud
    5.15.05.16.0
  • npm@antv/f2-wx
    4.1.514.2.51
  • npm@antv/f6
    0.1.190.2.19
  • npm@antv/f6-alipay
    0.1.70.2.7
  • npm@antv/f6-core
    0.1.20.2.2
  • npm@antv/f6-element
    0.1.10.2.1
  • npm@antv/f6-hammerjs
    0.1.20.2.2
  • npm@antv/f6-plugin
    1.1.61.2.6
  • npm@antv/f6-ui
    1.1.31.2.3
  • npm@antv/f6-wx
    0.1.70.2.7
  • npm@antv/g
    6.4.16.5.1
  • npm@antv/g-base
    0.6.160.7.16
  • npm@antv/g-camera-api
    2.1.452.2.45
  • npm@antv/g-canvas
    2.3.02.4.0
  • npm@antv/g-canvaskit
    1.2.11.3.1
  • npm@antv/g-compat
    1.1.111.2.11
  • npm@antv/g-components
    2.1.422.2.42
  • npm@antv/g-css-layout-api
    1.1.381.2.38
  • npm@antv/g-css-typed-om-api
    1.1.381.2.38
  • npm@antv/g-device-api
    1.7.131.8.13
  • npm@antv/g-dom-mutation-observer-api
    2.1.422.2.42
  • npm@antv/g-gesture
    3.1.423.2.42
  • npm@antv/g-image-exporter
    1.1.421.2.42
  • npm@antv/g-layout-blocklike
    1.8.491.9.49
  • npm@antv/g-lite
    2.8.02.9.0
  • npm@antv/g-lottie-player
    1.2.11.3.1
  • npm@antv/g-math
    3.2.03.3.0
  • npm@antv/g-mobile
    1.2.51.3.5
  • npm@antv/g-mobile-canvas
    1.2.11.3.1
  • npm@antv/g-mobile-canvas-element
    1.1.421.2.42
  • npm@antv/g-mobile-svg
    1.2.11.3.1
  • npm@antv/g-mobile-webgl
    1.2.11.3.1
  • npm@antv/g-pattern
    2.1.422.2.42
  • npm@antv/g-perf
    1.1.01.2.0
  • npm@antv/g-plugin-3d
    2.2.12.3.1
  • npm@antv/g-plugin-a11y
    1.5.11.6.1
  • npm@antv/g-plugin-annotation
    1.3.01.4.0
  • npm@antv/g-plugin-box2d
    2.2.12.3.1
  • npm@antv/g-plugin-canvas-path-generator
    2.2.262.3.26
  • npm@antv/g-plugin-canvas-picker
    2.4.12.5.1
  • npm@antv/g-plugin-canvas-renderer
    2.6.12.7.1
  • npm@antv/g-plugin-canvaskit-renderer
    2.4.12.5.1
  • npm@antv/g-plugin-control
    2.2.12.3.1
  • npm@antv/g-plugin-css-select
    2.2.12.3.1
  • npm@antv/g-plugin-device-renderer
    2.7.12.8.1
  • npm@antv/g-plugin-dom-interaction
    2.2.312.3.31
  • npm@antv/g-plugin-dragndrop
    2.2.12.3.1
  • npm@antv/g-plugin-gesture
    2.2.12.3.1
  • npm@antv/g-plugin-gpgpu
    1.10.201.11.20
  • npm@antv/g-plugin-html-renderer
    2.4.12.5.1
  • npm@antv/g-plugin-image-loader
    2.4.12.5.1
  • npm@antv/g-plugin-matterjs
    2.2.12.3.1
  • npm@antv/g-plugin-mobile-interaction
    1.1.421.2.42
  • npm@antv/g-plugin-physx
    2.2.12.3.1
  • npm@antv/g-plugin-rough-canvas-renderer
    2.2.12.3.1
  • npm@antv/g-plugin-rough-svg-renderer
    2.2.12.3.1
  • npm@antv/g-plugin-svg-picker
    2.1.462.2.46
  • npm@antv/g-plugin-svg-renderer
    2.5.12.6.1
  • npm@antv/g-plugin-webgl-device
    1.10.171.11.17
  • npm@antv/g-plugin-webgl-renderer
    1.1.261.2.26
  • npm@antv/g-plugin-webgpu-device
    1.10.171.11.17
  • npm@antv/g-plugin-yoga
    2.4.12.5.1
  • npm@antv/g-plugin-zdog-canvas-renderer
    2.2.12.3.1
  • npm@antv/g-plugin-zdog-svg-renderer
    2.2.12.3.1
  • npm@antv/g-shader-components
    2.1.02.2.0
  • npm@antv/g-svg
    2.2.12.3.1
  • npm@antv/g-web-animations-api
    2.2.322.3.32
  • npm@antv/g-web-components
    2.2.12.3.1
  • npm@antv/g-webgl
    2.2.12.3.1
  • npm@antv/g-webgl-compute
    0.1.10.2.1
  • npm@antv/g-webgpu
    2.2.12.3.1
  • npm@antv/g-webgpu-compiler
    0.8.20.9.2
  • npm@antv/g-webgpu-core
    0.8.20.9.2
  • npm@antv/g-webgpu-engine
    0.8.20.9.2
  • npm@antv/g-webgpu-raytracer
    0.6.10.7.1
  • npm@antv/g-webgpu-unitchart
    0.6.10.7.1
  • npm@antv/g2
    5.5.85.6.8
  • npm@antv/g2-brush
    0.1.20.2.2
  • npm@antv/g2-extension-3d
    0.3.00.4.0
  • npm@antv/g2-extension-ava
    0.3.00.4.0
  • npm@antv/g2-extension-plot
    0.3.20.4.2
  • npm@antv/g2-plugin-slider
    2.2.12.3.1
  • npm@antv/g2-ssr
    0.3.00.4.0
  • npm@antv/g2plot
    2.5.352.6.35
  • npm@antv/g2plot-schemas
    1.3.21.4.2
  • npm@antv/g6
    5.2.15.3.1
  • npm@antv/g6-alipay
    0.1.10.2.1
  • npm@antv/g6-cli
    0.1.40.2.4
  • npm@antv/g6-core
    0.9.240.10.24
  • npm@antv/g6-editor
    1.3.01.4.0
  • npm@antv/g6-element
    0.9.250.10.25
  • npm@antv/g6-extension-3d
    0.2.230.3.23
  • npm@antv/g6-extension-react
    0.3.70.4.7
  • npm@antv/g6-mobile
    0.2.20.3.2
  • npm@antv/g6-pc
    0.9.250.10.25
  • npm@antv/g6-plugin
    0.9.250.10.25
  • npm@antv/g6-plugin-map-view
    0.1.40.2.4
  • npm@antv/g6-plugins
    1.1.91.2.9
  • npm@antv/g6-react-node
    1.5.81.6.8
  • npm@antv/g6-ssr
    0.2.10.3.1
  • npm@antv/g6-wx
    0.1.10.2.1
  • npm@antv/gatsby-theme
    0.2.00.3.0
  • npm@antv/geo-coord
    1.1.81.2.8
  • npm@antv/gi-assets-advance
    2.6.222.7.22
  • npm@antv/gi-assets-algorithm
    2.4.192.5.19
  • npm@antv/gi-assets-basic
    2.5.402.6.40
  • npm@antv/gi-assets-galaxybase
    1.3.151.4.15
  • npm@antv/gi-assets-graphscope
    2.2.152.3.15
  • npm@antv/gi-assets-hugegraph
    1.2.151.3.15
  • npm@antv/gi-assets-janusgraph
    1.2.151.3.15
  • npm@antv/gi-assets-neo4j
    2.2.152.3.15
  • npm@antv/gi-assets-scene
    2.3.212.4.21
  • npm@antv/gi-assets-tugraph
    2.2.152.3.15
  • npm@antv/gi-assets-tugraph-analytics
    0.3.150.4.15
  • npm@antv/gi-assets-xlab
    0.2.300.3.30
  • npm@antv/gi-cli
    1.3.111.4.11
  • npm@antv/gi-common-components
    1.4.161.5.16
  • npm@antv/gi-mock-data
    1.1.51.2.5
  • npm@antv/gi-public-data
    1.1.11.2.1
  • npm@antv/gi-sdk
    3.1.03.2.0
  • npm@antv/gi-sdk-app
    1.3.101.4.10
  • npm@antv/gi-theme-antd
    0.7.110.8.11
  • npm@antv/github-config-cli
    0.2.00.3.0
  • npm@antv/gl-matrix
    2.8.12.9.1
  • npm@antv/gpt-vis
    1.1.01.2.0
  • npm@antv/gpt-vis-ssr
    0.4.70.5.7
  • npm@antv/graphin
    3.1.53.2.5
  • npm@antv/graphin-components
    2.5.12.6.1
  • npm@antv/graphin-graphscope
    1.1.51.2.5
  • npm@antv/graphin-icons
    1.1.01.2.0
  • npm@antv/graphlib
    2.1.42.2.4
  • npm@antv/hierarchy
    0.8.10.9.1
  • npm@antv/infographic
    0.3.190.4.19
  • npm@antv/interaction
    0.2.50.3.5
  • npm@antv/istanbul
    0.1.00.2.0
  • npm@antv/knowledge
    1.2.41.3.4
  • npm@antv/l7
    2.26.102.27.10
  • npm@antv/l7-component
    2.26.102.27.10
  • npm@antv/l7-composite-layers
    0.18.10.19.1
  • npm@antv/l7-core
    2.26.102.27.10
  • npm@antv/l7-district
    2.4.122.5.12
  • npm@antv/l7-draw
    3.2.53.3.5
  • npm@antv/l7-editor
    1.2.131.3.13
  • npm@antv/l7-extension-g-layer
    1.1.01.2.0
  • npm@antv/l7-layers
    2.26.102.27.10
  • npm@antv/l7-leaflet
    1.1.21.2.2
  • npm@antv/l7-map
    2.26.102.27.10
  • npm@antv/l7-mapkit
    0.6.00.7.0
  • npm@antv/l7-maps
    2.26.102.27.10
  • npm@antv/l7-mini
    2.21.82.22.8
  • npm@antv/l7-pass
    1.1.01.2.0
  • npm@antv/l7-react
    2.5.32.6.3
  • npm@antv/l7-renderer
    2.26.102.27.10
  • npm@antv/l7-scene
    2.26.102.27.10
  • npm@antv/l7-source
    2.26.102.27.10
  • npm@antv/l7-three
    2.26.102.27.10
  • npm@antv/l7-utils
    2.26.102.27.10
  • npm@antv/l7plot
    0.6.110.7.11
  • npm@antv/l7plot-component
    0.1.110.2.11
  • npm@antv/larkmap
    1.6.11.7.1
  • npm@antv/layout-gpu
    1.2.71.3.7
  • npm@antv/layout-wasm
    1.5.21.6.2
  • npm@antv/li-aiearth-assets
    0.5.70.6.7
  • npm@antv/li-analysis-assets
    1.10.11.11.1
  • npm@antv/li-core-assets
    1.4.71.5.7
  • npm@antv/li-editor
    1.7.11.8.1
  • npm@antv/li-p2
    1.9.21.10.2
  • npm@antv/li-sam-assets
    0.2.40.3.4
  • npm@antv/li-sdk
    1.6.11.7.1
  • npm@antv/lite-insight
    2.2.12.3.1
  • npm@antv/matrix-util
    3.1.43.2.4
  • npm@antv/mcp-server-antv
    0.2.80.3.8
  • npm@antv/mcp-server-chart
    0.10.100.11.10
  • npm@antv/my-f2
    2.2.72.3.7
  • npm@antv/my-f2-pc
    0.2.10.3.1
  • npm@antv/narrative-text-editor
    0.3.200.4.20
  • npm@antv/narrative-text-schema
    0.4.70.5.7
  • npm@antv/narrative-text-vis
    0.4.160.5.16
  • npm@antv/path-util
    3.1.13.2.1
  • npm@antv/react-g
    2.2.12.3.1
  • npm@antv/s2
    2.8.12.9.1
  • npm@antv/s2-react
    2.4.12.5.1
  • npm@antv/s2-react-components
    2.2.22.3.2
  • npm@antv/s2-ssr
    0.2.10.3.1
  • npm@antv/s2-vue
    2.3.02.4.0
  • npm@antv/sam
    0.3.00.4.0
  • npm@antv/scale
    0.6.20.7.2
  • npm@antv/semantic-release-pnpm
    1.1.41.2.4
  • npm@antv/smart-color
    0.3.10.4.1
  • npm@antv/stat
    0.1.20.2.2
  • npm@antv/t8
    0.4.00.5.0
  • npm@antv/thumbnails
    2.1.02.2.0
  • npm@antv/thumbnails-component
    2.1.02.2.0
  • npm@antv/torch
    1.1.61.2.6
  • npm@antv/translator
    1.1.11.2.1
  • npm@antv/util
    3.4.113.5.11
  • npm@antv/vendor
    1.1.111.2.11
  • npm@antv/vis-predict-engine
    0.2.10.3.1
  • npm@antv/webgpu-graph
    1.1.01.2.0
  • npm@antv/word-scale-chart
    0.4.40.5.4
  • npm@antv/wx-f2
    2.2.12.3.1
  • npm@antv/x6
    3.2.73.3.7
  • npm@antv/x6-angular-shape
    3.1.13.2.1
  • npm@antv/x6-components
    0.11.70.12.7
  • npm@antv/x6-react
    0.2.260.3.26
  • npm@antv/x6-react-shape
    3.1.13.2.1
  • npm@antv/x6-vector
    1.5.21.6.2
  • npm@antv/x6-vue-shape
    3.1.23.2.2
  • npm@antv/x6-vue3-shape
    1.1.01.2.0
  • npm@antv/xflow
    2.2.132.3.13
  • npm@antv/xflow-diff
    1.1.01.2.0
  • npm@lint-md/cli
    2.1.02.2.0
  • npm@lint-md/core
    2.1.02.2.0
  • npm@lint-md/parser
    0.1.140.2.14
  • npmai-figure
    0.5.00.6.0
  • npmamapcn
    0.2.20.3.2
  • npmast-plugin
    0.1.70.2.7
  • npmbabel-plugin-version
    0.3.30.4.3
  • npmboring-avatars-vanilla
    1.1.21.2.2
  • npmbyte-parser
    1.1.01.2.0
  • npmcanvas-nest.js
    2.1.42.2.4
  • npmecharts-for-react
    3.0.73.1.73.2.7
  • npmfilesize.js
    2.1.02.2.0
  • npmfixed-round
    1.1.21.2.2
  • npmgantt-for-react
    0.3.00.4.0
  • npmjest-canvas-mock
    2.5.32.6.32.7.3
  • npmjest-date-mock
    1.0.111.1.111.2.11
  • npmjest-electron
    0.2.120.3.12
  • npmjest-expect
    0.1.10.2.1
  • npmjest-less-loader
    0.3.00.4.0
  • npmjest-random-mock
    1.1.01.2.0
  • npmjest-url-loader
    0.2.00.3.0
  • npmlimit-size
    0.2.40.3.4
  • npmlint-md
    0.3.00.4.0
  • npmlint-md-cli
    0.2.20.3.2
  • npmmcp-echarts
    0.8.10.9.1
  • npmmcp-mermaid
    0.5.10.6.1
  • npmmiz
    1.1.11.2.1
  • npmonfire.js
    2.1.12.2.1
  • npmreact-adsense
    0.2.00.3.0
  • npmrelationship.js
    1.3.91.4.9
  • npmribbon.js
    1.1.2
  • npmsize-sensor
    1.0.41.1.41.2.4
  • npmslice.js
    1.2.11.3.1
  • npmtimeago-react
    3.1.73.2.7
  • npmtimeago.js
    4.1.24.2.2
  • npmword-width
    1.1.11.2.1
  • npmxmorse
    1.1.01.2.0

Impact

  • AWS, GCP, Azure credentials (instance metadata + env)
  • GitHub Personal Access Tokens and npm publish tokens — enables further worm propagation
  • Kubernetes service account tokens and kubeconfig files
  • HashiCorp Vault tokens, Stripe keys, database connection strings
  • SSH private keys and .env / .env.* secrets
  • Docker container escape attempt via the host socket
  • preinstall hook runs even with npm ci --ignore-scripts only if Bun is present — but bun run is invoked directly, bypassing standard npm script gating

What to do

  1. 1Block / pin away from every (name, version) pair in the packages map below. For top-impact packages: pin @antv/g2 to <= 5.4.8, @antv/g6 to <= 5.1.1, @antv/x6 to <= 3.1.7, echarts-for-react to <= 3.0.6, size-sensor to <= 1.0.3, timeago.js to <= 4.0.2, jest-canvas-mock to <= 2.5.2, jest-date-mock to <= 1.0.10
  2. 2Purge node_modules and any cached tarballs published between 2026-05-19T01:39Z and 2026-05-19T02:10Z
  3. 3Assume credential compromise on any CI runner or developer machine that ran npm install/pnpm install/yarn install against any of these packages during the exposure window. Rotate npm/GitHub/GitLab/CircleCI tokens, AWS/GCP/Azure keys, K8s tokens, Vault tokens, Stripe keys, DB passwords
  4. 4Audit optionalDependencies in every lockfile for entries pointing to antvis/G2 commit hashes — these are the secondary payload bootstrap
  5. 5Audit your own npm publish history (under every maintainer account on the affected machines) for unexpected releases after 2026-05-19T01:30Z — the worm targets maintainer publish rights for propagation
  6. 6Block egress to known Mini Shai-Hulud C2 infrastructure shared with the SAP/TanStack waves; cross-reference IOCs from the Wiz and Socket reports on those campaigns

References

npm-2026-05-19-antv-mini-shai-hulud