Vibe Coding
Mini Shai-Hulud Hits AntV: 639 Malicious npm Versions in a 22-Minute Automated Burst
On May 19, threat group TeamPCP compromised npm maintainer account 'atool' and published 639 malicious versions across 323 packages in 22 minutes, including @antv/g2, echarts-for-react (~1.1M weekly downloads), and timeago.js. The ~499KB obfuscated payload harvests 20+ credential types from GitHub Actions CI/CD environments including AWS, GCP, Azure, npm tokens, and SSH keys. GitHub invalidated 61,274 npm granular access tokens in response. Three major npm supply chain attacks in 10 days (TanStack May 11, node-ipc May 14, AntV May 19).
Source
↳ Follow the thread