Why bother hunting for a CVE when you can just publish malicious code straight into the software supply chain? That’s the story behind the latest wave of Shai-Hulud-related npm compromises, which recently hit the Ant Design (AntV) ecosystem and potentially exposed downstream developers to credential theft and remote code execution through trusted packages. Again.
The newest campaign (tracked as sonatype-2026-003200), compromised npm packages that used install-time hooks to steal developer and CI/CD secrets, then used publishing access to spread into more packages. This attack didn’t rely on typo-squatting or sketchy package names, just trusted packages suddenly shipping malicious code to unsuspecting developers.
When attackers compromise real maintainers and publish malware under real package names, traditional trust signals are obsolete.
The package looks safe because yesterday it was.
According to industry reporting, attackers compromised maintainers connected to the AntV visualization ecosystem and pushed malicious versions of multiple npm packages.
The payload reportedly attempted to:
This is not just bad code in a package; it’s exploiting normal ecosystem behavior. Compromise one maintainer account, infect trusted packages, harvest more credentials, compromise more publishers, and repeat until the ecosystem catches fire.
This loop keeps working because modern software delivery pipelines are built on inherited trust. If a package update comes from the right maintainer account, it’s easy to assume it’s legitimate by default.
Recent Shai-Hulud-linked or adjacent campaigns follow a clear pattern:
The AntV incident is the latest reminder that package ecosystems are now active attack surfaces, not passive dependency repositories.
“Malicious code can execute the moment a package is installed, so detecting it only minutes later will simply confirm the damage has already happened,” said Ilkka Turunen, Sonatype’s Field CTO. “The priority has to be prevention: suspicious packages should be quarantined before they ever reach a developer machine, build system, or CI pipeline.”
The objective of this malware is even more concerning. Most modern npm supply chain attacks are really credential acquisition campaigns disguised as package compromises. Attackers want tokens, credentials, signing keys, or other sensitive information. Once they get those, the blast radius expands fast. One compromised developer laptop becomes a compromised CI pipeline, which then becomes a compromised package, and ultimately thousands of downstream infections.
This is why software supply chain attacks increasingly look more like identity attacks than traditional malware campaigns. The dependency is just the delivery mechanism.
Attackers continue to leverage hijacked npm accounts because they know that most organizations still trust package updates far too implicitly once a dependency makes it into an approved project.
Security reviews often happen at initial adoption, not continuously across every update. That worked reasonably well when the primary risk was known vulnerabilities. It works much less well when attackers are actively hijacking trusted publishers in real time.
A malicious update published under a legitimate maintainer account can bypass:
Especially if the malicious version only lives briefly before being pulled. That’s why many modern npm campaigns are fast, opportunistic, and automated. But a malicious package’s removal cannot be treated as a sign of security.
Any successful download of a package in this campaign means credentials were stolen and can be used to launch another wave at any time.
Cross-ecosystem infection happens when attackers use trust in one ecosystem to spread into others, treating package managers, source-control platforms, CI/CD tools, and IDE extensions as correlated targets. In this latest example, compromised @antv npm packages and GitHub Actions formed a shared infection path.
Malicious installs fetched additional payloads from GitHub-hosted infrastructure, stole developer credentials, and attempted to establish persistent access on infected systems. That makes the incident especially dangerous because a single poisoned dependency or tool can become a bridge into repositories, build pipelines, and cloud environments at once.
If your organization consumes npm packages, especially frontend or JavaScript-heavy environments, this is a good time to verify a few things:
Treat this as a credential incident, not just a dependency cleanup exercise. That means rotating exposed tokens, reviewing publish permissions, inspecting CI runners, and auditing recent npm publishes and GitHub Actions activity. Developer workstations and AI coding tools are now part of the software supply chain, so remediation should also include IDE and AI-tool configurations such as .vscode/tasks.json and .claude/settings.json, not just lockfiles.
Sonatype Guide can help teams understand their exposure, identify where compromised components may have been used, and prioritize the response steps that matter most. It can help assess impact, rotate potentially compromised credentials, audit recent publishing and CI activity, and check IDE or AI-tool configurations for persistence.
While the industry spent years focusing primarily on vulnerabilities, attackers shifted toward malicious packages, maintainer compromise, and credential theft because those attacks are often faster, cheaper, and harder to detect.
That’s the operational reality behind Shai-Hulud and the growing wave of compromises in the npm ecosystem. And unfortunately, it’s probably not the last one.
Because as long as developer credentials unlock distribution at internet scale, maintainers will remain one of the most valuable targets in software security.
And every npm install becomes, at least partially, an exercise in inherited trust.