Mini Shai-Hulud @antv wave: 640 compromised npm package versions across 320+ charting and visualization packages

The May 19, 2026 Mini Shai-Hulud npm wave is the largest single-registry event in the TeamPCP cluster by package count. A compromised maintainer account (atool) was used to publish malicious versions of approximately 640 package versions across more than 320 unique packages between 01:56 and 02:56 UTC — a one-hour automated publishing run. The bulk of the activity targeted the @antv data-visualization scope, with additional hits under @lint-md, @openclaw-cn, and @starmind, plus widely used unscoped packages: echarts-for-react, timeago.js, size-sensor, and canvas-nest.js.

The C2 domain is t.m-kosche[.]com — the same TeamPCP infrastructure used in the durabletask PyPI compromise published the same day. A new GitHub dead-drop marker appears in this wave: victim-account exfiltration repositories carry the reversed string niagA oG eW ereH :duluH-iahS (reversed: Shai-Hulud: Here We Go Again) in their descriptions, with Dune-themed names like sayyadina-stillsuit-852 and atreides-ornithopter-112.

Payload mechanics

Compromised packages follow a consistent injection pattern. A root-level obfuscated index.js is added to the tarball, and package.json is modified to run it at install time via a preinstall hook:

"scripts": {
  "preinstall": "bun run index.js"
}

The payload uses heavy string obfuscation with a runtime decryptor exposed on globalThis as fc2edea72. After decoding, stolen material is exfiltrated to https://t[.]m-kosche[.]com:443/api/public/otel/v1/traces, with data gzip-compressed and encrypted using AES-256-GCM with RSA-OAEP key wrapping before transmission. The Sigstore endpoints (fulcio.sigstore.dev, rekor.sigstore.dev) are also contacted — consistent with the SLSA attestation abuse pattern documented in the TanStack/Mistral wave.

Collection targets developer and CI/CD environments: GitHub tokens, npm tokens, AWS and Kubernetes credentials, Vault tokens, SSH keys, Docker authentication files, database connection strings, and secrets from CI platforms including GitHub Actions, GitLab CI, Jenkins, Azure DevOps.

GitHub dead-drop fallback and worm propagation

If the payload obtains a usable GitHub token, it creates a repository under the victim account and commits stolen JSON under results/results-<timestamp>-<counter>.json. Public GitHub search has surfaced repositories with the niagA oG eW ereH :duluH-iahS description marker — the reversed form provides minimal obscurity against automated detection while maintaining the Dune campaign branding in plain sight when reversed.

Worm propagation mirrors the established Mini Shai-Hulud pattern: the payload validates stolen npm tokens, enumerates maintainable packages, downloads tarballs, injects the same preinstall hook and index.js, bumps versions, and republishes under the compromised identity. An optionalDependencies entry may be added — specifically @antv/setup pinned to GitHub commit 1916faa365f2788b6e193514872d51a242876569 — mirroring the git-dependency execution technique used in prior Mini Shai-Hulud waves.

C2 infrastructure overlap with durabletask

The use of t.m-kosche[.]com as the primary C2 domain in both the @antv npm wave (May 19) and the durabletask PyPI compromise (May 19) on the same day is significant. This is not coincidence — it is shared infrastructure confirming that both events are the same operator running parallel attacks across npm and PyPI simultaneously. The operator is now compromising packages across multiple registries in coordinated waves rather than sequential campaigns.

Indicators of compromise

File hash (SHA-256):

• index.js: a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c

Code markers:

• globalThis decryptor key: fc2edea72
• preinstall script value: bun run index.js

Network indicators (defanged):

• t[.]m-kosche[.]com — primary C2
• 185[.]95.159[.]32 — IP associated with t.m-kosche.com
• https://t[.]m-kosche[.]com:443/api/public/otel/v1/traces — exfiltration endpoint
• https://fulcio[.]sigstore[.]dev/api/v2/signingCert — Sigstore abuse
• https://rekor[.]sigstore[.]dev/api/v1/log/entries — Sigstore abuse

GitHub repository markers:

• Description: niagA oG eW ereH :duluH-iahS (reversed: "Shai-Hulud: Here We Go Again")
• Exfiltration path: results/results-*.json
• Name patterns: sayyadina-stillsuit-852, atreides-ornithopter-112, harkonnen-phibian-552

Optional git dependency IOC: @antv/setup → github:antvis/G2#1916faa365f2788b6e193514872d51a242876569

Affected scopes (non-exhaustive): @antv/g2, @antv/g6, @antv/x6, echarts-for-react, timeago.js, size-sensor, canvas-nest.js; also @lint-md, @openclaw-cn, @starmind scopes. Confirm exact malicious version pairs against Socket's published affected-package list for May 19, 2026.

Detection and remediation

• Audit lockfiles and install logs against Socket's published affected-package list for May 19, 2026. Any version installed between 01:56 and 02:56 UTC from an @antv package or the named unscoped packages should be treated as potentially malicious.
• Search for index.js SHA-256 a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c in npm cache and node_modules.
• Block t.m-kosche[.]com and 185.95.159.32 at DNS and egress firewall.
• Audit GitHub organizations for repositories with niagA oG eW ereH :duluH-iahS in the description.
• Rotate all credentials from any host that ran npm install against a malicious version: GitHub tokens, npm tokens, cloud credentials, CI/CD secrets, Vault tokens, SSH keys.
• Rebuild CI runners from trusted baselines where malicious install cannot be ruled out.

Criminal-market signal

No dark-web presence for the @antv wave tooling or t.m-kosche.com infrastructure has been observed. The TeamPCP operator-run pattern confirmed across the cluster applies. Simultaneous npm and PyPI activity on the same day with shared C2 infrastructure confirms H2 (operator-run, coordinated, no commodity market).