HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Compromised npm Maintainer Account Fuels Malicious AntV Packages in Mini Shai‑Hulud Supply‑Chain Attack

Researchers identified a Mini Shai‑Hulud campaign that hijacked the npm maintainer atool, pushing malicious versions of @antv libraries such as echarts‑for‑react. The move threatens any organization that relies on these popular JavaScript visualisation components, highlighting the need for rigorous third‑party risk controls.

LiveThreat™ Intelligence · 📅 May 19, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

Compromised npm Maintainer Account Fuels Malicious AntV Packages in Mini Shai‑Hulud Supply‑Chain Attack

What Happened – Researchers uncovered a new supply‑chain campaign dubbed Mini Shai‑Hulud that hijacked the npm maintainer account atool. The attacker pushed malicious versions of several @antv ecosystem packages, including the popular echarts‑for‑react wrapper (≈1.1 M weekly downloads).

Why It Matters for TPRM

  • Third‑party JavaScript libraries are a common attack surface for SaaS and web‑app providers.
  • Compromise of a single maintainer can cascade to thousands of downstream customers across sectors.
  • Detecting malicious code in open‑source dependencies is difficult without continuous SBOM and runtime monitoring.

Who Is Affected – Technology & SaaS firms, fintech platforms, e‑commerce sites, and any organization that embeds React‑based data visualizations from the @antv ecosystem.

Recommended Actions

  • Immediately audit all projects for usage of compromised @antv packages and replace with clean versions.
  • Enforce strict SBOM validation and provenance checks for all npm dependencies.
  • Deploy runtime integrity monitoring (e.g., SCA tools, EDR) to detect anomalous behavior from injected code.

Technical Notes – Attack vector: THIRD_PARTY_DEPENDENCY via a compromised maintainer account. No CVE is associated; the malicious payload injects hidden network calls and potential data exfiltration. Affected data types include any client‑side information processed by the compromised libraries. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/mini-shai-hulud-pushes-malicious-antv.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →