Threat actors exploited leaked Shai-Hulud infostealer source code to poison multiple npm packages, with one compromised library — echarts-for-react in the @antv ecosystem — recording approximately 1.1 million weekly downloads. The attack used a compromised npm maintainer account to inject malicious code into legitimate, widely trusted packages without triggering typical repository security signals. A separate wave of typosquatted packages using the same leaked source code targeted developer credentials and cryptocurrency wallet data.
Shai-Hulud Campaign Targets @antv Ecosystem via Compromised npm Maintainer Account
The primary vector in the @antv ecosystem compromise was a hijacked npm maintainer account rather than a newly published package. Attackers used the compromised account to push malicious versions of existing, legitimately maintained packages — bypassing the primary signal organizations use to evaluate whether a package is trustworthy. An established install base with over a million weekly downloads means the malicious versions reached developer environments without any error or unusual package selection on the developer’s part.
The echarts-for-react package is widely used for data visualization in JavaScript and React applications. Its presence in the @antv ecosystem, combined with its download volume, made it a high-value target for injecting credential-theft functionality with minimal chance of immediate detection.
echarts-for-react Compromise: 1.1 Million Weekly Downloads Exposed to Credential Theft
The malicious code injected into packages in the @antv ecosystem — including echarts-for-react — targets developer credentials, cloud service configuration files, environment variables, API keys, and cryptocurrency wallet data before exfiltrating the harvested material to attacker-controlled infrastructure.
Organizations running automated dependency update pipelines that include echarts-for-react would have pulled the malicious version without any manual intervention. The scale of exposure — measured in millions of affected developer environments globally — stems directly from the maintainer account compromise technique, which turns a trusted package into an active threat actor tool.
chalk-tempalte and at Least Three Additional Packages Carry Shai-Hulud Variants
Beyond the @antv ecosystem, additional Shai-Hulud copycat packages appeared across other npm libraries. The chalk-tempalte package — a typosquat on the popular chalk-template library — carried Shai-Hulud credential-theft code. At least three other packages in the wave used the same leaked source, with variations in targeting and payload behavior across the individual packages.
The appearance of multiple independent campaigns derived from the same leaked source code reflects a pattern seen when malware toolkits become publicly available: the original source enables rapid proliferation across actors who lack the capability to develop the tooling themselves, multiplying the total attack surface while fragmenting attribution.
One Variant Adds DDoS Botnet Capability Alongside Credential Theft
At least one package in the Shai-Hulud wave carried dual functionality: credential theft combined with a persistent DDoS botnet component. A developer environment infected by this variant becomes both a source of exfiltrated credentials and a node in an attacker-controlled botnet — two simultaneous compromise outcomes from a single package installation.
The combination of infostealer and botnet functionality in a single npm package is consistent with the multi-purpose design of the leaked Shai-Hulud source, which the campaign’s operators adapted to serve different objectives across the various packages deployed. The campaign was linked to the concurrent GitHub Actions supply chain attack through shared attacker-controlled infrastructure observed in both operations.
