“`html
The npm registry executed a swift platform-wide action last week after supply chain breaches jeopardized numerous developers. On May 19, npm rendered invalid every granular access token with write privileges that circumvent two-factor authentication, compelling maintainers to create new credentials and revise all automated workflows.
The reset was a direct response to an operation termed Mini Shai-Hulud, a synchronized threat that has been infiltrating the JavaScript ecosystem for nearly a month.
The incident that instigated the mass reset occurred late on May 18, when malicious actors compromised a legitimate npm maintainer account named atool, resulting in the deployment of 639 harmful package versions across 323 distinct packages in one automated surge.
This wave permeated the @antv data visualization ecosystem, impacting packages such as echarts-for-react, which accumulates about 1.1 million weekly downloads, in addition to timeago.js, size-sensor, and canvas-nest.js. The velocity and extent of the attack left almost no opportunity for defenders to respond.
Analysts at Socket.dev stated in a report shared with Cyber Security News (CSN) that the Mini Shai-Hulud operation had already been active for three weeks prior to this wave, and that the @antv breach followed an earlier infiltration of 42 TanStack npm packages on May 11, which included @tanstack/react-router with 12 million weekly downloads.
Socket monitored 1,055 compromised versions across 502 distinct packages encompassing npm, PyPI, and Composer. The group responsible has been identified as a threat actor known as TeamPCP.
The campaign also extended further than many developers anticipated. GitHub announced that attackers extracted around 3,800 of its internal repositories, with the entry point traced to Nx Console, a VS Code extension boasting 2.2 million installations.
Attackers obtained credentials from an Nx maintainer during the TanStack breach and utilized them to publish an unsafe build of the extension.
This version remained on the Visual Studio Marketplace for 18 minutes before removal, but it was sufficient to provide credentials that enabled the attackers to access GitHub.
Alongside the credential reset, npm initiated Staged Publishing into public preview on May 20, a feature that many in the security realm believe carries significantly more long-term importance.
Mini Shai-Hulud Attack Forces npm
Mini Shai-Hulud revolves around one fundamental concept: acquire the tokens developers utilize to publish packages, then upload poisoned versions of every package maintained by the victim.
The worm scans developer machines and CI environments for npm credentials, and as bypass-2FA granular access tokens have extended lifespans and are stored in secret repositories, they become easy targets.
Once harvested, the worm automatically republishes harmful versions, converting each compromised account into a launchpad for additional infections.
The campaign’s most destructive actions did not even require a stolen token. TanStack’s attackers leveraged a chained exploit involving a Pwn Request attack, GitHub Actions cache poisoning, and real-time extraction of an OIDC token from a runner’s process memory.
The Bitwarden CLI breach on April 23 resulted from directly infecting the project’s publish-ci.yml workflow. Both attacks evaded Trusted Publishing entirely, which is the very safeguard npm now recommends as the primary defense for the larger ecosystem.
Staged Publishing and What Maintainers Should Do Now
npm’s more significant reaction to Mini Shai-Hulud is Staged Publishing, which entered public preview when GitHub integrated the npm stage command into CLI v11.15.0.
Under this framework, automated CI publishes navigate through a staging area, where a maintainer must approve the release through an MFA-verified step before it reaches users.
Even if an attacker uploads a malicious version through stolen credentials, the release halts at the staging gate until a human reviews it.
Security researcher Adnan Khan urged all npm maintainers to enable Staged Publishing without delay, labeling it a direct counter to Shai-Hulud. npm creator Isaac Schlueter urged GitHub, npm, and Microsoft to entirely disable non-MFA publishing throughout the ecosystem.
Maintainers whose pipelines malfunctioned after the reset should create new granular tokens and rotate every credential that the environment may have interacted with, encompassing GitHub tokens, AWS, GCP, and Azure credentials, SSH keys, Kubernetes tokens, Vault tokens, Stripe keys, and AI configuration files such as .claude/settings.json.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| npm Package (Compromised) | @antv ecosystem (323 unique packages) | Packages poisoned via hijacked atool maintainer account on May 18, 2026 |
| npm Account (Hijacked) | atool | Legitimate maintainer account seized by attackers to publish 639 malicious versions |
| npm Package (Compromised) | echarts-for-react | Part of @antv burst; ~1.1 million weekly downloads affected |
| npm Package (Compromised) | timeago.js | Part of @antv ecosystem targeted in May 18 burst |
| npm Package (Compromised) | size-sensor | Part of @antv ecosystem targeted in May 18 burst |
| npm Package (Compromised) | canvas-nest.js | Part of @antv ecosystem targeted in May 18 burst |
| npm Package (Compromised) | @tanstack/react-router | Compromised in May 11 TanStack wave; ~12 million weekly downloads |
| npm Packages (Compromised) | @tanstack (42 packages total, 84 malicious versions) | TanStack wave compromise on May 11, 2026 |
| VS Marketplace Package (Compromised) | Nx Console v18.95.0 | Poisoned VS Code extension; live for 18 minutes before takedown |
| CI/CD File | publish-ci.yml | Bitwarden CLI workflow file directly infected on April 23, 2026 |
| AI Config File | .claude/settings.json | Targeted by Mini Shai-Hulud worm payload for credential harvesting |
| Threat Actor | TeamPCP | Attribution for the Mini Shai-Hulud campaign |
Note: IP addresses and domains are deliberately defanged (e.g., [.]) to avert accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence environments such as MISP, VirusTotal, or your SIEM.
“`