Compromised npm Maintainer Account Fuels Malicious AntV Packages in Mini Shai‑Hulud Supply‑Chain Attack
What Happened – Researchers uncovered a new supply‑chain campaign dubbed Mini Shai‑Hulud that hijacked the npm maintainer account atool. The attacker pushed malicious versions of several @antv ecosystem packages, including the popular echarts‑for‑react wrapper (≈1.1 M weekly downloads).
Why It Matters for TPRM –
- Third‑party JavaScript libraries are a common attack surface for SaaS and web‑app providers.
- Compromise of a single maintainer can cascade to thousands of downstream customers across sectors.
- Detecting malicious code in open‑source dependencies is difficult without continuous SBOM and runtime monitoring.
Who Is Affected – Technology & SaaS firms, fintech platforms, e‑commerce sites, and any organization that embeds React‑based data visualizations from the @antv ecosystem.
Recommended Actions –
- Immediately audit all projects for usage of compromised @antv packages and replace with clean versions.
- Enforce strict SBOM validation and provenance checks for all npm dependencies.
- Deploy runtime integrity monitoring (e.g., SCA tools, EDR) to detect anomalous behavior from injected code.
Technical Notes – Attack vector: THIRD_PARTY_DEPENDENCY via a compromised maintainer account. No CVE is associated; the malicious payload injects hidden network calls and potential data exfiltration. Affected data types include any client‑side information processed by the compromised libraries. Source: The Hacker News