GoKawiilThreat actors earlier today published more than 600 malicious packages to the Node Package Manager (npm) index as part of a new Shai-Hulud supply-chain campaign.
Most of the affected packages are in the @antv ecosystem, which include libraries for charting, graph visualization, building flowcharts, and mapping. However, popular packages outside this namespace have also been compromised.
As in the previous Shai-Hulud campaign impacting TanStack and Mistral packages, the payload collects secrets from developer and CI/CD environments and exfiltrates them over the Session P2P network to complicate detection and takedown efforts.
The threat actor also used GitHub as a fallback exfiltration mechanism and published stolen data in repositories under victims' accounts, when tokens used for publishing were found.
According to application security company Socket, the hackers published 639 malicious versions across 323 unique packages in about one hour. Some of the impacted libraries include:
echarts-for-react
@antv/g2
@antv/g6
@antv/x6
@antv/l7
... continue reading