Mini Shai-Hulud npm worm hits @antv and echarts-for-react

追加: 2026-05-26

[00:00:00]Mini Shai Hulud, the MPM worm that hit TanStack and two Open AI employees last week, is back. Early Tuesday, the worm hit the MPM account of a maintainer called A tool. In under an hour, 323 packages got malicious versions, 639 versions in total. Most are at Ant V packages, visualization libraries used in a lot of React dashboards. Outside at Ant V, the one to flag is ECharts for React, the React wrapper for Apache ECharts. It has 1.1 million weekly downloads. So, if you ran npm install on a project point ECharts for React or anything at Ant V Tuesday morning, you may have grabbed the poison version. The payload tracks with prior waves. A pre-install hook scrapes GitHub tokens, AWS keys, Kubernetes accounts, small tokens, SSH keys, database connection strings, and ships them out.

[00:00:55]Socket says the data goes to a server disguised as an OpenTelemetry traces endpoint, which won't look unusual leaving a dev machine or a build server.

[00:01:07]If your build pipeline or laptop pulled a fresh at Ant V or ECharts for React version this week, pin to a known good version, rotate any credentials that were on that machine, and then roll back if you need to.