- An npm supply chain attack on May 19 compromised 314 packages with 637 malicious versions in just 22 minutes.
- The npm supply chain attack targeted packages with millions of monthly downloads, including size-sensor and echarts-for-react.
- The payload steals credentials from AWS, Kubernetes, GitHub, and even local password managers like 1Password and Bitwarden.
- Forensic fingerprints link this attack to the same toolkit used in a SAP compromise just three weeks earlier.
314 Packages Down in 22 Minutes
On May 19, 2026, a single compromised npm account triggered one of the most efficiently executed npm supply chain attacks on record. The attacker gained access to the atool account — registered to [email protected] — and between 01:44 and 02:06 UTC published 637 malicious package versions across 317 packages. That’s roughly 29 versions per minute. Automated, precise, and clearly pre-planned.
The packages involved aren’t obscure utilities buried in the long tail of the registry. size-sensor pulls in around 4.2 million downloads a month. echarts-for-react sits at 3.8 million. timeago.js handles 1.15 million. These are packages embedded deep in the dependency graphs of production applications the world over. If you’re running a JavaScript-heavy frontend or any Node.js project that touches charting or UI tooling, there’s a real chance something in your node_modules folder was briefly — or still is — compromised.
The npm Supply Chain Attack That Echoes a Bigger Pattern
Security researchers at SafeDep were quick to notice something about this npm supply chain attack that goes beyond the sheer scale. The payload — a 498KB obfuscated Bun script — carries the unmistakable fingerprints of a toolkit called Mini Shai-Hulud. Same scanner architecture. Same credential regex patterns. Same obfuscation approach. It’s the exact toolkit blamed for a compromise of SAP systems roughly three weeks before this incident.
That’s significant. It means whoever is behind this isn’t improvising. They’ve built a repeatable, modular attack framework and are actively deploying it against different targets in the open-source ecosystem. The Dune-themed naming convention — packages with generated names drawn from words like sardaukar, fremen, harkonnen, and sandworm — suggests either a single actor with a flair for sci-fi, or a group sharing tooling and aesthetics. Either way, the sophistication here is real.
The same period also saw three compromised versions of the Microsoft durabletask Python SDK (versions 1.4.1, 1.4.2, and 1.4.3) appear on PyPI, each pulling down a stage-2 payload designed to steal cloud credentials. Whether these incidents are directly connected or simply concurrent activity from actors using similar tooling remains unclear — but the timing is hard to ignore.
What the Payload Actually Does
The malware’s credential harvesting scope is genuinely alarming. It doesn’t just grab environment variables and call it a day. It walks the full AWS credential chain: environment variables, config files, the EC2 instance metadata service at 169.254.169.254, ECS container metadata, and AWS Secrets Manager. It also targets Kubernetes service account tokens, HashiCorp Vault, GitHub personal access tokens, npm publish tokens, SSH keys, and local password manager vaults — 1Password, Bitwarden, pass, and gopass are all explicitly targeted.
Stolen data leaves the machine through two parallel channels. First, it’s committed as Git objects to freshly created public GitHub repositories using the victim’s own compromised token, with the HTTP User-Agent forged as python-requests/2.31.0 to blend in. Second, it’s encrypted with RSA+AES and posted to t.m-kosche[.]com disguised as OpenTelemetry trace data — a clever choice, since OTel traffic is increasingly common in cloud-native environments and unlikely to trigger alerts.
In CI environments, the payload gets particularly nasty. It exchanges GitHub Actions OIDC tokens for npm publish tokens, then signs artifacts using Sigstore’s Fulcio and Rekor infrastructure with the stolen identity. That means downstream consumers of affected packages could receive cryptographically signed — but malicious — releases. The payload also injects a workflow file into .github/workflows/codeql.yml named “Run Copilot” that dumps toJSON(secrets) as a GitHub Actions artifact, then self-destructs by deleting the workflow run and resetting the branch. Forensically clean and deeply invasive.
AI Tools and IDE Hooks: A New Persistence Vector
One of the more forward-looking aspects of this npm supply chain attack is how deliberately it targets AI coding tools. The malware injects SessionStart hooks into Claude Code and OpenAI’s Codex
Source: https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/
