Another massive supply chain attack is spreading. Hundreds of compromised NPM packages are being detected, with hackers using stolen secrets to create over 2,200 public GitHub repositories, all because TeamPCP hijacked a single maintainer’s account.
Security teams are sounding the alarm over hundreds of legitimate, highly popular NPM packages containing malware. The malware is spreading across widely used data visualization, graphing, mapping, charting, and React component ecosystems.
Socket’s Threat Research team identified 639 newly compromised package versions across 323 unique packages on Tuesday. Installing or updating them pulls an infostealer that sweeps the system for credentials, API keys, crypto wallets, and other sensitive secrets.
The campaign started at around 01:56 UTC on May 19th, 2026
Attackers embedded malware in several popular standalone packages:
- jest-canvas-mock (2.4 million weekly downloads) is used by developers to test graphics code without a browser
- jest-date-mock (381,400 weekly downloads) is a tool for simulating date and time in automated tests
- echarts-for-react (890,000 weekly downloads) is a package that helps embed interactive charts into web applications
- size-sensor (970,000 weekly downloads) is a utility that resizes charts and other elements
The malware has also been propagating across Alibaba’s widely used open-source data visualization ecosystem, @antv, where some packages have millions of monthly downloads and hundreds of dependent packages.
The attack also expanded beyond the AntV, and malware was flagged in several @lint-md, @openclaw-cn, and @starmind packages.
“The potential blast radius is significant,” Socket’s Threat Research team said in the report.
“Even if only a subset of those packages received malicious updates, the popularity of the package ecosystem creates meaningful downstream exposure for organizations that automatically pull new dependency versions.”
Attackers are using Mini-Shai-Hulud, the same malware that compromised TanStack and Mistral AI packages last week, extending the streak to a total of 1055 malicious NPM packages.
A single maintainer got compromised
What’s shocking is that the compromise of a single account led to one of the largest supply chain compromises – the same publisher is behind many popular open-source projects.
StepSecurity researchers detailed that an npm account called atool (email [email protected]) is the primary publisher for nearly all the affected libraries. It was used to publish a compromised version of timeago.js, a JavaScript library for relative time formatting with over 1.5 million weekly downloads, as well as AntV packages.
“The standalone packages in this campaign … are unrelated to AntV by function but were maintained by the same account or publishing pipeline that the attacker compromised,” the report by StepSecurity reads.
The same maintainer account publishes 547 packages in total. It’s unclear how the account got compromised.
“The pattern is a textbook indicator of a compromised publishing credential, and the blast radius is large: the affected packages pull more than 16 million downloads per week combined,” said OpenSourceMalware.com in its report.
Hackers are after crypto wallets and secrets
As in previous Shai-Hulud attacks, attackers are laser-focused on credentials. The malware, created with AI assistance, has been expanding, reads every credential from the automated build pipeline (CI/CD), and currently sweeps over 130 file patterns on the infected system:
- Cloud credentials for AWS, Google Cloud Platform, Azure, and Terraform
- SSH keys (private keys and host authentication files)
- Developer tokens for NPM, PYPI, NET, Git credentials, and Docker configs
- Kubernetes configs, credentials, service account tokens, and secrets across all namespaces
- Crypto wallets
- Chat messaging configuration files and tokens, including Slack, Telegram, and Discord
- AI tool configurations for Claude, etc
The malware encrypts all the harvested data and beams it directly to the attacker-controlled server.
The attackers are abusing GitHub as a fallback dead drop for stolen data – the malware is capable of abusing stolen GitHub tokens to create repositories under the victim’s accounts and commit stolen data. Over 2,700 repositories with encrypted stolen credentials have already been published and counting. They’re using the reversed Shai-Hulud marker and Dune-themed names.
Like previously, the Shai-Hulud worm uses stolen npm tokens to self-propagate by injecting malicious payloads and publishing modified packages under a compromised maintainer’s identity.
“The practical implication for defenders: a package can now carry a valid provenance badge and still be malicious. The certificate subject is a legitimate CI identity. The Rekor log entry is real. The verification check passes. The package steals your credentials,” warns Endor Labs in its report.
As in previous supply chain attacks, security firms recommend that affected developers rotate all compromised credentials immediately and check whether the malware propagated to their packages.
NPM supply chain attacks becoming a running joke
The repeatable pattern of NPM attacks nearly every week for the past few months now makes them feel like a routine. Threat researchers respond with memes on X.
“Hey, npm? You there? It's time to wake up and do literally anything at all about this," developer and streamer Theo posted on X.
Malware analysts at vxunderground posted a cat meme mocking the cycle.
“I wake up, there's a new supply chain attack,” the post reads.
Even previously, threat security researchers had joked about never running “npm install” again.
Some wondered whether NPM can be used to install other things besides malware.
The underlying problem remains unsolved as NPM appears to be incapable of dealing with devastating supply chain attacks.
Some developers on Hacker News are calling for a cultural shift from “lazy versioning” and rapid releases to stable, deeply scanned versions at registries.
“The situation is getting crazy ... personally, I have already uninstalled node, Python, and all package managers from my machine and instead only use them in devcontainers/VMs,” one of the tech pros responded.
Meanwhile, threat actors are organizing a competition to see who will cause the biggest supply chain attack.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked