Compromised npm account atool published 637 malicious versions across 317 packages in 22 minutes, hitting 15M+ monthly downloads with a credential-harvesting Bun payload.
Key Takeaways
Affected packages include size-sensor (4.2M/mo), echarts-for-react (3.8M/mo), timeago.js (1.15M/mo), and hundreds of @antv scoped packages; semver ranges like ^3.0.6 auto-resolve to malicious versions regardless of the latest dist-tag.
The 498KB obfuscated Bun payload matches the Mini Shai-Hulud toolkit from the SAP compromise three weeks prior: same scanner architecture, same credential regex set, same obfuscation pattern.
Persistence is layered: systemd/LaunchAgent kitty-monitor runs a GitHub dead-drop C2 polling for RSA-PSS signed commands; CI pipelines get .github/workflows/codeql.yml injection that dumps toJSON(secrets); Claude Code and Codex get SessionStart hooks.
Redundant delivery via orphan imposter commits in antvis/G2 means blocking preinstall hooks alone does not stop payload execution.
Hacker News Comment Review
Strong consensus that npm preinstall lifecycle scripts should be disabled by default; an RFC exists (npm/rfcs#868) but the default has not changed, and the attack surface extends to transitive dependencies.
Commenters debated freezing dependency BOMs entirely and enforcing a version seasoning period (e.g., reject versions newer than 30 days) as a practical mitigation, given that meaningful frontend security patches are rarer than supply chain attacks.
The compromised package list is noted as incomplete; nx-console VS Code extension (2.2M downloads) was also affected, suggesting broader scope than the SafeDep report covers.
Notable Comments
@urbandw311er: flags nx-console as an additional compromised package not in the SafeDep list, with a GitHub security advisory link for follow-up.
@tedd4u: proposes a version seasoning period with a CVE exception as a concrete registry-level control.
