What happened
TeamPCP’s Mini Shai-Hulud supply chain campaign has expanded again, with over 320 npm packages compromised through a hijacked maintainer account in the @antv namespace. The compromised account, atoll, also publishes timeago.js with approximately 1.5 million weekly downloads, and the attack propagated downstream to echarts-for-react with around 1.1 million weekly downloads. Socket reports roughly 639 malicious versions were published across data visualization, graphing, mapping, charting, and React component ecosystems.
Across the full Mini Shai-Hulud campaign, Socket has now tracked 1,055 versions across 502 unique packages spanning npm, PyPI, and Composer. Every compromised package carries an obfuscated install-time payload that reads GitHub Actions runner process memory to extract masked CI/CD secrets in plaintext, harvests credentials from over 130 file paths covering AWS, GCP, Azure, Kubernetes, HashiCorp Vault, cryptocurrency wallets, and developer tools, and exfiltrates stolen data through GitHub repositories and a fallback server. The payload also contains npm registry abuse logic that validates stolen tokens, enumerates packages the token owner can publish, injects the malicious payload, and republishes them under the compromised maintainer’s identity.
New capabilities observed in this wave include downloading and executing Python code from attacker infrastructure, providing ongoing remote execution capabilities on compromised systems, and dropping persistent backdoors into Claude Code configurations. Over 2,200 GitHub repositories containing exfiltrated data have been identified. Microsoft’s Durabletask Python SDK was also compromised with three malicious versions uploaded to PyPI within a 35-minute window, and the GitHub Action actions-cool/issues-helper was separately compromised in the same campaign.
Who is affected
Developers and organizations that installed any of the 320-plus compromised @antv packages, timeago.js, echarts-for-react, Microsoft’s Durabletask Python SDK, or used the actions-cool/issues-helper GitHub Action are directly at risk. CI/CD environments are particularly exposed given the payload’s specific capability to extract masked secrets from GitHub Actions runner memory. The 2,200-plus GitHub repositories containing exfiltrated data indicate the campaign has already produced significant credential harvesting at scale.
Why CISOs should care
The Mini Shai-Hulud campaign has now compromised 502 unique packages across three package ecosystems, reached GitHub’s internal repositories, affected OpenAI, Mistral AI, and Grafana Labs, and is actively evolving its capabilities with each wave. The addition of Python-based remote execution and persistent Claude Code backdoors in this iteration shows the campaign is not static. The GitHub Actions memory reading capability is particularly significant for organizations running CI/CD pipelines, as it specifically targets the runtime secrets that are masked in pipeline logs, bypassing the protection that masking is intended to provide.
3 practical actions
- Immediately audit all @antv namespace packages, timeago.js, echarts-for-react, and Durabletask in your dependency trees and CI environments: Any environment where these packages were installed should be treated as a credential compromise. Rotate all secrets present in those environments including AWS, GCP, Azure, Kubernetes, HashiCorp Vault credentials, npm tokens, and GitHub tokens, and remove any persistent backdoors dropped into Claude Code configurations.
- Implement GitHub Actions secret scanning for runtime memory extraction patterns: The payload specifically reads GitHub Actions runner process memory to extract masked CI/CD secrets in plaintext. Review your GitHub Actions workflows for unexpected process memory access patterns and consider implementing StepSecurity’s Harden-Runner or equivalent controls that monitor and restrict Actions runner behavior at runtime.
- Pin all npm package versions and GitHub Actions to specific commit SHAs rather than mutable tags: The Mini Shai-Hulud campaign exploits the fact that version tags and branch references are mutable. Pinning dependencies to specific immutable commit SHAs ensures that a compromised maintainer republishing a package under an incremented version number does not automatically reach your environment through standard update processes.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.