Overview
- The AntV ecosystem, which was hit Tuesday in what researchers called a one-hour publishing burst, saw 639 malicious versions across 323 packages pushed from the compromised atool account.
- Each tainted release added a preinstall script that executed on developer machines and CI runners, exfiltrating data over the encrypted Session network and, when possible, to new GitHub repositories marked with a reversed Shai-Hulud phrase.
- The payload abused npm tokens to enumerate and republish packages under real maintainer identities and used OIDC tokens to generate valid Sigstore provenance, making poisoned versions appear authentic.
- Researchers found persistence in VS Code and Claude Code settings and in OS services, so teams are urged to remove or pin to known-good versions, rotate all exposed credentials, and clean developer and CI systems.
- Across waves, investigators have tracked about 1,055 malicious versions across npm, PyPI, and Composer, and a copycat actor used leaked Shai-Hulud code to publish four npm stealers, including one that deployed a Golang DDoS bot named Phantom Bot.