Compromised atool npm account published 637 malicious versions across 317 packages in 22 minutes on May 19, 2026, hitting 15M+ monthly downloads.
Key Takeaways
Affected packages include size-sensor (4.2M/mo), echarts-for-react (3.8M/mo), timeago.js (1.15M/mo), and hundreds of @antv scoped packages.
Payload is a 498KB obfuscated Bun script matching the Mini Shai-Hulud toolkit from the SAP compromise three weeks prior: same scanner architecture, same credential regex set.
Harvests AWS full credential chain (env vars, EC2 IMDS, ECS metadata, Secrets Manager), Kubernetes tokens, HashiCorp Vault, GitHub PATs, npm tokens, SSH keys, Stripe keys, and more.
Exfiltration uses GitHub’s API as C2: stolen data committed to public repos with User-Agent forged as python-requests/2.31.0; a dead-drop daemon polls for RSA-PSS signed commands via GitHub commit search using keyword firedalazer.
Persistence layers include systemd/LaunchAgent kitty-monitor, Claude Code SessionStart hooks, Codex hooks, VS Code runOn folderOpen tasks, and codeql.yml workflow injection dumping toJSON(secrets).
Hacker News Comment Review
Commenters express broad supply-chain fatigue: fear of updating any dependency without an isolated environment, and no specific npm defense being named.
The reaction is resigned rather than surprised, with npm’s ecosystem structure treated as the root cause rather than any individual actor.
