Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised

查看原文 / View Original 编辑 / Edit

Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised

TL;DR The npm account atool ([email protected]) was compromised on May 19, 2026. The attacker published 637 malicious versions across 317 packages in a 22-minute automated burst. Affected packages include size-sensor (4.2M downloads/month), echarts-for-react (3.8M), @antv/scale (2.2M), timeago.js (1.15M), and hundreds of @antv scoped packages.

简述 npm 账户 atool ([email protected]) 于 2026 年 5 月 19 日遭到入侵。攻击者在 22 分钟内通过自动化脚本发布了 317 个软件包的 637 个恶意版本。受影响的软件包包括 size-sensor(月下载量 420 万)、echarts-for-react(380 万)、@antv/scale(220 万)、timeago.js(115 万)以及数百个 @antv 命名空间下的软件包。

The payload is a 498KB obfuscated Bun script that matches the Mini Shai-Hulud toolkit used in the SAP compromise three weeks earlier: same scanner architecture, same credential regex set, same obfuscation pattern. It harvests credentials across the full AWS chain (env vars, config files, EC2 IMDS, ECS container metadata, Secrets Manager), Kubernetes service account tokens, HashiCorp Vault, GitHub PATs, npm tokens, SSH keys, and local password manager vaults (1Password, Bitwarden, pass, gopass).

该载荷是一个 498KB 的混淆 Bun 脚本,与三周前 SAP 入侵事件中使用的 Mini Shai-Hulud 工具包完全吻合:具有相同的扫描器架构、相同的凭据正则表达式集以及相同的混淆模式。它会窃取完整的 AWS 凭据链(环境变量、配置文件、EC2 IMDS、ECS 容器元数据、Secrets Manager)、Kubernetes 服务账户令牌、HashiCorp Vault、GitHub PAT、npm 令牌、SSH 密钥以及本地密码管理器库(1Password、Bitwarden、pass、gopass)。

Stolen data is exfiltrated through two parallel channels: Git objects committed to public GitHub repositories created under the compromised token (User-Agent forged as python-requests/2.31.0), and RSA+AES encrypted HTTPS POSTs to t.m-kosche[.]com disguised as OpenTelemetry trace data. In CI environments, the payload exchanges GitHub Actions OIDC tokens for npm publish tokens, signs artifacts via Sigstore (Fulcio + Rekor) using the stolen identity, and injects persistence into .github/workflows/codeql.yml.

被盗数据通过两条并行渠道外泄:一是提交到受损令牌创建的公共 GitHub 仓库中的 Git 对象(User-Agent 伪装为 python-requests/2.31.0),二是伪装成 OpenTelemetry 追踪数据的 RSA+AES 加密 HTTPS POST 请求,发送至 t.m-kosche[.]com。在 CI 环境中,该载荷会将 GitHub Actions OIDC 令牌交换为 npm 发布令牌,利用被盗身份通过 Sigstore (Fulcio + Rekor) 对制品进行签名,并将持久化代码注入到 .github/workflows/codeql.yml 中。

The payload hijacks Claude Code and Codex by injecting SessionStart hooks that re-execute the malware on every AI session, both locally and via commits to accessible GitHub repositories. VS Code gets a tasks.json with "runOn": "folderOpen" for the same effect. A persistent systemd service / macOS LaunchAgent (kitty-monitor) installs a GitHub dead-drop C2 backdoor: a Python daemon that polls GitHub’s commit search API hourly for RSA-PSS signed commands in commit messages containing the keyword firedalazer, then downloads and executes arbitrary Python from the signed URL.

该载荷通过注入 SessionStart 钩子劫持 Claude Code 和 Codex,使得每次 AI 会话(无论是本地还是通过提交到可访问的 GitHub 仓库)都会重新执行恶意软件。VS Code 则会被注入包含 "runOn": "folderOpen"tasks.json 以达到同样效果。一个持久化的 systemd 服务/macOS LaunchAgent (kitty-monitor) 会安装一个 GitHub 死信 C2 后门:这是一个 Python 守护进程,每小时轮询 GitHub 的提交搜索 API,查找提交信息中包含关键词 firedalazer 的 RSA-PSS 签名命令,随后从签名 URL 下载并执行任意 Python 代码。

Impact / 影响

  • Projects using semver ranges: Auto-resolve to compromised versions. 使用语义化版本范围的项目: 会自动解析到受损版本。
  • Credential harvesting: Targets npm tokens, GitHub PATs, AWS keys, GCP service accounts, Azure credentials, database connection strings, Stripe keys, Slack tokens, SSH keys, Docker auth, Kubernetes tokens, HashiCorp Vault, and local password managers. 凭据窃取: 目标涵盖 npm 令牌、GitHub PAT、AWS 密钥、GCP 服务账户、Azure 凭据、数据库连接字符串、Stripe 密钥、Slack 令牌、SSH 密钥、Docker 认证、Kubernetes 令牌、HashiCorp Vault 以及本地密码管理器。
  • Dual exfiltration: Git objects to public repos and encrypted HTTPS POSTs disguised as OpenTelemetry traces. 双重外泄: 提交 Git 对象到公共仓库,以及伪装成 OpenTelemetry 追踪数据的加密 HTTPS POST 请求。
  • CI/CD persistence: Injects .github/workflows/codeql.yml to dump secrets and self-clean. CI/CD 持久化: 注入 .github/workflows/codeql.yml 以导出 secrets 并进行自清理。
  • AI agent hijacking: Hooks into Claude Code, Codex, and VS Code to ensure re-execution. AI 代理劫持: 挂钩 Claude Code、Codex 和 VS Code 以确保恶意软件被重新执行。

Indicators of Compromise (IoC) / 威胁指标

  • Publisher: Any package published by atool ([email protected]) on 2026-05-19 between 01:44 and 02:06 UTC. 发布者: 任何由 atool ([email protected]) 在 2026 年 5 月 19 日 UTC 时间 01:44 至 02:06 之间发布的软件包。
  • Payload SHA256: a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c
  • Imposter commits in antvis/G2: Orphan commits with forged authorship and message “New Package”. antvis/G2 中的伪造提交: 具有伪造作者身份和“New Package”提交信息的孤立提交。
  • Exfiltration URL: hxxps://t.m-kosche[.]com/api/public/otel/v1/traces
  • C2 Keyword: firedalazer (in commit messages). C2 关键词: firedalazer(存在于提交信息中)。
← 返回新闻列表 / Back to news list