惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

美团技术团队
W
WeLiveSecurity
Stack Overflow Blog
Stack Overflow Blog
L
LangChain Blog
S
SegmentFault 最新的问题
Apple Machine Learning Research
Apple Machine Learning Research
Google DeepMind News
Google DeepMind News
F
Full Disclosure
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The Register - Security
The Register - Security
G
Google Developers Blog
C
Check Point Blog
GbyAI
GbyAI
A
About on SuperTechFans
V
Vulnerabilities – Threatpost
T
The Blog of Author Tim Ferriss
T
Tor Project blog
AWS News Blog
AWS News Blog
Cyberwarzone
Cyberwarzone
C
CERT Recently Published Vulnerability Notes
MongoDB | Blog
MongoDB | Blog
Latest news
Latest news
aimingoo的专栏
aimingoo的专栏
U
Unit 42
Y
Y Combinator Blog
P
Privacy International News Feed
Cisco Talos Blog
Cisco Talos Blog
S
Securelist
S
Schneier on Security
雷峰网
雷峰网
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Attack and Defense Labs
Attack and Defense Labs
P
Proofpoint News Feed
C
Cisco Blogs
Webroot Blog
Webroot Blog
T
Troy Hunt's Blog
Google Online Security Blog
Google Online Security Blog
月光博客
月光博客
P
Privacy & Cybersecurity Law Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
罗磊的独立博客
Cloudbric
Cloudbric
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News: Ask HN
Hacker News: Ask HN
H
Hackread – Cybersecurity News, Data Breaches, AI and More
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Microsoft Security Blog
Microsoft Security Blog

2024 Sonatype Blog

Open Source, Open Infrastructure, and the Space Between Request for Comments: CARE and Maven Central Q2 2026 Open Source Malware Index AI Is Forcing a New Open Source Security Model Vulnerability Prioritization Is Missing the AI-Era Point The Hidden National Security Threat Inside AI-Driven Software Miasma Returns: Leo Platform Compromise in npm The Rise of Collective Defense for Open Source Signal Over Noise: Reachability Analysis Is the Reality Check SCA Has Been Missing Software Security Has to Start at Assembly easy-day-js Targets Mastra, Dependency Attacks Grow Open Publishing, Commercial Scale Software Dependency Cooldowns Are a Symptom, Not a Strategy Atomic Arch npm Campaign Adds Malicious Dependency From SBOMs to AI BOMs: Why SPDX 3.0 Matters Mythos Found 10,000 Vulnerabilities. The Bigger Challenge Is Fixing Them New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages Lazarus Group's Latest: Brandjacking Campaign on npm 5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook The AI Race Is Becoming a Remediation Race Red Hat Cloud Services npm Packages Hijacked Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies AI Is Making Software Autonomous, and Governance Must Follow Your Outdated Repository Still Works, But It May Not Be Safe Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT AppSec Tools Explained: SAST vs SCA vs DAST | Sonatype Managing Open Source Software Risks With the HeroDevs EOL Dashboard Building Trusted AI Development With Kiro and Sonatype Guide How to Build a Software Supply Chain Security Playbook The Evolution of Open Source Malware: From Volume to Trust Abuse The Mythos AI Vulnerability Storm: What to Do Next Malicious PyTorch Lightning Packages Found on PyPI Why Developer Experience Is the Foundation of DevSecOps Success Open is Not Costless: Reclaiming Sustainable Infrastructure Q1 Updates in Nexus Repository: More Formats, Stronger Operations, and a Better Day-to-Day Experience Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths The Time Is Now to Prepare for CRA Enforcement Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition Mythos and the AI Vulnerability Storm: Exploring the Control Point When AI Writes Code, Who Governs the Dependencies? Why Software Supply Chain Security Requires a New Playbook Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust Modernizing Nexus Repository: Moving Beyond OrientDB AI, DevSecOps, and the Future of Application Security: The Gartner® Report How Sonatype's Container Scanning Protects You From Zero-Days Axios Compromise on npm Introduces Hidden Malicious Package Is Your Repository Ready for What's Next? Autonomous Development and AI: Speed vs. Security Grounded Intelligence Ensures Safe AI Software Development Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer Golden Pull Requests: Automating Trusted Remediation Without Breaking Builds Sonatype Discovers Two Malicious npm Packages
Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target
Sonatype Security Research Team · 2026-05-20 · via 2024 Sonatype Blog

Why bother hunting for a CVE when you can just publish malicious code straight into the software supply chain? That's the story behind the latest wave of Shai-Hulud-related npm compromises, which recently hit the Ant Design (AntV) ecosystem and potentially exposed downstream developers to credential theft and remote code execution through trusted packages. Again.

The newest campaign (tracked as sonatype-2026-003200), compromised npm packages that used install-time hooks to steal developer and CI/CD secrets, then used publishing access to spread into more packages. This attack didn't rely on typo-squatting or sketchy package names, just trusted packages suddenly shipping malicious code to unsuspecting developers.

When attackers compromise real maintainers and publish malware under real package names, traditional trust signals are obsolete.

The package looks safe because yesterday it was.

What Happened in the AntV Ecosystem?

According to industry reporting, attackers compromised maintainers connected to the AntV visualization ecosystem and pushed malicious versions of multiple npm packages.

The payload reportedly attempted to:

  • Steal environment variables and developer secrets.

  • Harvest npm tokens.

  • Exfiltrate credentials from CI/CD systems.

  • Establish remote command execution capabilities.

Shai-Hulud Isn't One Package. It's a Playbook.

This is not just bad code in a package. It's exploiting normal ecosystem behavior. Compromise one maintainer account, infect trusted packages, harvest more credentials, compromise more publishers, and repeat until the ecosystem catches fire.

This loop keeps working because modern software delivery pipelines are built on inherited trust. If a package update comes from the right maintainer account, it's easy to assume it's legitimate by default.

Recent Shai-Hulud-linked or adjacent campaigns follow a clear pattern:

The AntV incident is the latest reminder that package ecosystems are now active attack surfaces, not passive dependency repositories.

"Malicious code can execute the moment a package is installed, so detecting it only minutes later will simply confirm the damage has already happened," said Ilkka Turunen, Sonatype's Field CTO. "The priority has to be prevention: suspicious packages should be quarantined before they ever reach a developer machine, build system, or CI pipeline."

CI/CD Secrets Are the Real Prize

The objective of this malware is even more concerning. Most modern npm supply chain attacks are really credential acquisition campaigns disguised as package compromises. Attackers want tokens, credentials, signing keys, or other sensitive information. Once they get those, the blast radius expands fast. One compromised developer laptop becomes a compromised CI pipeline, which then becomes a compromised package, and ultimately thousands of downstream infections.

This is why software supply chain attacks increasingly look more like identity attacks than traditional malware campaigns. The dependency is just the delivery mechanism.

Why Do Malicious npm Packages Keep Working?

Attackers continue to leverage hijacked npm accounts because they know that most organizations still trust package updates far too implicitly once a dependency makes it into an approved project.

Security reviews often happen at initial adoption, not continuously across every update. That worked reasonably well when the primary risk was known vulnerabilities. It works much less well when attackers are actively hijacking trusted publishers in real time.

A malicious update published under a legitimate maintainer account can bypass:

  • Allowlists.

  • Reputation assumptions.

  • Developer intuition.

  • Sometimes even security tooling.

Especially if the malicious version only lives briefly before being pulled. That's why many modern npm campaigns are fast, opportunistic, and automated. But a malicious package's removal cannot be treated as a sign of security.

Any successful download of a package in this campaign means credentials were stolen and can be used to launch another wave at any time.

How Did Shai-Hulud Infect Additional Ecosystems?

Cross-ecosystem infection happens when attackers use trust in one ecosystem to spread into others, treating package managers, source-control platforms, CI/CD tools, and IDE extensions as correlated targets. In this latest example, compromised @antv npm packages and GitHub Actions formed a shared infection path.

Malicious installs fetched additional payloads from GitHub-hosted infrastructure, stole developer credentials, and attempted to establish persistent access on infected systems. That makes the incident especially dangerous because a single poisoned dependency or tool can become a bridge into repositories, build pipelines, and cloud environments at once.

What Developers Should Check Right Now

If your organization consumes npm packages, especially frontend or JavaScript-heavy environments, this is a good time to verify a few things:

  1. Review recently updated dependencies: Especially transitive dependencies tied to visualization, frontend tooling, or the AntV ecosystem.

  2. Audit npm publishing tokens: Rotate tokens that may have been exposed in CI logs, environment variables, or developer machines.

  3. Check CI/CD secret exposure: Many of these campaigns specifically target build systems because that's where the high-value credentials live.

  4. Look for unusual install scripts: Postinstall and preinstall hooks remain popular malware delivery mechanisms.

  5. Verify maintainer and release anomalies: Unexpected maintainers, rushed patch releases, odd publish timing, or sudden dependency changes can all be indicators.

  6. Reduce implicit trust in package updates: "Trusted yesterday" is no longer sufficient validation logic.

Treat this as a credential incident, not just a dependency cleanup exercise. That means rotating exposed tokens, reviewing publish permissions, inspecting CI runners, and auditing recent npm publishes and GitHub Actions activity. Developer workstations and AI coding tools are now part of the software supply chain, so remediation should also include IDE and AI-tool configurations such as .vscode/tasks.json and .claude/settings.json, not just lockfiles.

Sonatype Guide can help teams understand their exposure, identify where compromised components may have been used, and prioritize the response steps that matter most. It can help assess impact, rotate potentially compromised credentials, audit recent publishing and CI activity, and check IDE or AI-tool configurations for persistence. To stop malicious packages before they are downloaded, use Sonatype Firewall to enforce package age and quarantine suspicious versions.

The New Reality of Open Source Risk

While the industry spent years focusing primarily on vulnerabilities, attackers shifted toward malicious packages, maintainer compromise, and credential theft because those attacks are often faster, cheaper, and harder to detect.

That's the operational reality behind Shai-Hulud and the growing wave of compromises in the npm ecosystem. And unfortunately, it's probably not the last one.

Because as long as developer credentials unlock distribution at internet scale, maintainers will remain one of the most valuable targets in software security.

And every npm install becomes, at least partially, an exercise in inherited trust.

Tags

security research supply chain attacks Malware Analysis Malware open source malware sonatype intelligence