{"id":12974,"date":"2026-05-19T10:04:53","date_gmt":"2026-05-19T10:04:53","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/19\/hackers-compromise-antv-packages-in-mini-shai-hulud-npm-attack-wave\/"},"modified":"2026-05-19T10:04:53","modified_gmt":"2026-05-19T10:04:53","slug":"hackers-compromise-antv-packages-in-mini-shai-hulud-npm-attack-wave","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/19\/hackers-compromise-antv-packages-in-mini-shai-hulud-npm-attack-wave\/","title":{"rendered":"Hackers Compromise @antv Packages in Mini Shai-Hulud npm Attack Wave"},"content":{"rendered":"<p>    Hackers Compromise @antv Packages in Mini Shai-Hulud npm Attack Wave<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A sweeping supply chain attack has hit the npm ecosystem, compromising hundreds of widely used JavaScript packages tied to the @antv data visualization library. <\/p>\n<p>The attack, which unfolded in the early hours of May 19, 2026, injected malicious code into packages used by millions of developers worldwide. <\/p>\n<p>Among the affected packages is echarts-for-react, a popular React wrapper with roughly 1.1 million weekly downloads.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The attackers gained access to the npm maintainer account known as \u201catool\u201d and used it to push poisoned versions of dozens of well-known packages. <\/p>\n<p>Beyond the core @antv packages, the attack also reached unrelated packages such as timeago.js, size-sensor, and canvas-nest.js. <\/p>\n<p>The sheer number of affected packages made this one of the largest npm supply chain incidents in recent memory.<\/p>\n<figure class=\"wp-block-embed aligncenter is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">This one is really, really bad.<a href=\"https:\/\/t.co\/tfTfzGmgYD\">https:\/\/t.co\/tfTfzGmgYD<\/a><\/p>\n<p>Starting to be hard to call this one &#8220;Mini Shai-Hulud&#8221; <a href=\"https:\/\/t.co\/utgugatkJa\">https:\/\/t.co\/utgugatkJa<\/a><\/p>\n<p>\u2014 Adnan Khan (@adnanthekhan) <a href=\"https:\/\/twitter.com\/adnanthekhan\/status\/2056570961030197485?ref_src=twsrc%5Etfw\">May 19, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>Researchers at Socket.dev identified the attack in near real-time, flagging the malicious publish wave and classifying affected versions as known malware. <\/p>\n<p><a href=\"https:\/\/socket.dev\/blog\/antv-packages-compromised\" id=\"https:\/\/socket.dev\/blog\/antv-packages-compromised\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Socket.dev said in a\u00a0report<\/a>\u00a0shared with Cyber Security News (CSN) that its internal review identified 639 compromised package versions across 323 unique packages in what the team labeled the \u201c5\/19 Mini Shai-Hulud wave\u201d. Most detections happened within 6 to 12 minutes of publication.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Across the broader Mini Shai-Hulud campaign, Socket has tracked 1,055 versions across 502 unique packages spanning npm, PyPI, and Composer registries. <\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/new-cyberattack-leverages-npm-ecosystem\/\" id=\"129973\" target=\"_blank\" rel=\"noreferrer noopener\">The npm ecosystem bears the overwhelming share<\/a>, with 1,048 compromised versions across 498 unique npm packages. The campaign\u2019s scale points to a coordinated and well-resourced threat actor operating across multiple open source ecosystems.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The blast radius here is significant. The publishing account is tied to packages used across data visualization, graphing, mapping, and React component development. <\/p>\n<p>Even if only a fraction of those packages received a malicious update, organizations that automatically pull new dependency versions face real downstream exposure.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"how-the-malicious-payload-works\"><strong>Hackers Compromise @antv Packages<\/strong><\/h2>\n<p>The injected code follows a pattern tied to the Mini Shai-Hulud malware family. Each compromised package contains a root-level index.js file that modifies package.json to execute the payload at install time through a \u201cpreinstall\u201d hook running on Bun. <\/p>\n<p>The payload is heavily obfuscated using a large string-array lookup table and a custom decryptor to hide sensitive strings from basic inspection.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Once triggered, the malware collects and transmits stolen data over an encrypted channel. It serializes harvested information, compresses it with gzip, encrypts it with AES-256-GCM, and wraps the key with RSA-OAEP before sending everything to the command-and-control server. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEglOGL6OvmwBL0ZAhW-uSYLunkSNtRhV0Re9HJtgDroYC9dBckXh35xuwn-I3iW8QSzZogpVlXhgCUcmqC-Gv51VCP_NM1nyA3LV0X9jC5DfoQvkFctNoBMH-A6F6HiseOPmICQ6HIhZC_5V-6beGYHg00T7U91pv6gqa1NCYGa0il11i9Sc7vjSgMXZlg\/s16000\/GitHub%2520search%2520reveals%2520a%2520rapidly%2520updating%2520cluster%2520of%2520threat%2520actor-created%2520repositories%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\" alt=\"GitHub search reveals a rapidly updating cluster of threat actor-created repositories (Source - Socket.dev)\"><figcaption class=\"wp-element-caption\">GitHub search reveals a rapidly updating cluster of threat actor-created repositories (Source \u2013 Socket.dev)<\/figcaption><\/figure>\n<\/div>\n<p>This layered encryption makes it very difficult for defenders to recover stolen content from network traffic logs.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The payload hunts for high-value secrets across developer and CI\/CD environments. It targets GitHub tokens, AWS credentials, Kubernetes service-account material, SSH private keys, Vault tokens, Docker authentication files, and database connection strings. <\/p>\n<p>It also contains platform-specific logic for GitHub Actions, GitLab CI, Jenkins, CircleCI, AWS CodeBuild, and several others.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"github-as-a-fallback-exfiltration-channel\"><strong>GitHub as a Fallback Exfiltration Channel<\/strong><\/h2>\n<p>If the malware obtains a usable GitHub token, it shifts to a secondary method. It creates a new repository under the victim\u2019s account and commits stolen data into files following a structured naming path. <\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/new-braodo-stealer-campaign-abuses-github\/\" id=\"112330\" target=\"_blank\" rel=\"noreferrer noopener\">This technique abuses GitHub as trusted infrastructure<\/a>, making exfiltration far harder to detect and block. <a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a>Public GitHub searches for a reversed campaign marker currently reveal roughly 1,900 repositories created by the threat actor. <\/p>\n<p>These use Dune-inspired names such as \u201csayyadina-stillsuit-852\u201d and \u201cfremen-fedaykin-225,\u201d and their descriptions carry the same reversed marker, confirming they belong to the campaign\u2019s exfiltration network.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Beyond stealing secrets, the payload can also spread itself. It validates stolen npm credentials, enumerates packages the compromised account can publish, injects malicious code, and republishes the modified packages. <\/p>\n<p>This worm-like behavior lets the attack jump between maintainer accounts without further effort from the attacker.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/security-teams-shrink-as-automation-rises\/\" id=\"100650\" target=\"_blank\" rel=\"noreferrer noopener\">Developers and security teams should audit any recent updates<\/a> from affected @antv and associated npm namespaces right away. <\/p>\n<p>Organizations should rotate any secrets or credentials that may have passed through environments where these packages were recently installed. Reviewing CI\/CD pipeline logs for unexpected GitHub repository creation activity is also strongly advised.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p id=\"indicators-of-compromise-iocs\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Domain<\/td>\n<td><code>t[.]m-kosche[.]com<\/code><\/td>\n<td>Primary C2 exfiltration domain used by the malicious payload\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td><code>https:\/\/t[.]m-kosche[.]com:443\/api\/public\/otel\/v1\/traces<\/code><\/td>\n<td>Primary HTTPS exfiltration endpoint for harvested secrets\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td><code>https:\/\/fulcio[.]sigstore[.]dev\/api\/v2\/signingCert<\/code><\/td>\n<td>Sigstore Fulcio endpoint referenced in the payload\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td><code>https:\/\/rekor[.]sigstore[.]dev\/api\/v1\/log\/entries<\/code><\/td>\n<td>Sigstore Rekor transparency log endpoint referenced in the payload\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Marker<\/td>\n<td><code>niagA oG eW ereH :duluH-iahS<\/code><\/td>\n<td>Reversed campaign marker string found in threat actor GitHub repositories\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Marker<\/td>\n<td><code>niaga og ew ereh :duluh-iahs<\/code><\/td>\n<td>Lowercase variant of the reversed campaign marker\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Marker<\/td>\n<td><code>Shai-Hulud: Here We Go Again<\/code><\/td>\n<td>Decoded plaintext of the campaign marker\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>File Path Pattern<\/td>\n<td><code>results\/results-*.json<\/code><\/td>\n<td>Path pattern used by the GitHub fallback exfiltration mechanism to store stolen data\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Repository Pattern<\/td>\n<td><code>&lt;dune-word&gt;-&lt;dune-word&gt;-&lt;digits&gt;<\/code><\/td>\n<td>Naming convention used for threat actor staging repositories\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Repository<\/td>\n<td><code>sayyadina-stillsuit-852<\/code><\/td>\n<td>Observed threat actor repository used for exfiltration staging\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Repository<\/td>\n<td><code>atreides-ornithopter-112<\/code><\/td>\n<td>Observed threat actor repository used for exfiltration staging\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Repository<\/td>\n<td><code>harkonnen-phibian-552<\/code><\/td>\n<td>Observed threat actor repository used for exfiltration staging\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Repository<\/td>\n<td><code>fremen-fedaykin-225<\/code><\/td>\n<td>Observed threat actor repository used for exfiltration staging\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Repository<\/td>\n<td><code>kanly-lasgun-874<\/code><\/td>\n<td>Observed threat actor repository used for exfiltration staging\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Secret Target<\/td>\n<td><code>GITHUB_TOKEN<\/code><\/td>\n<td>Environment variable actively harvested by the payload\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Secret Target<\/td>\n<td><code>AWS_ACCESS_KEY_ID<\/code><\/td>\n<td>AWS credential targeted for theft by the payload\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Secret Target<\/td>\n<td><code>AWS_SECRET_ACCESS_KEY<\/code><\/td>\n<td>AWS credential targeted for theft by the payload\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Secret Target<\/td>\n<td><code>AWS_SESSION_TOKEN<\/code><\/td>\n<td>AWS session token targeted for theft\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Secret Target<\/td>\n<td><code>KUBECONFIG<\/code><\/td>\n<td>Kubernetes configuration file targeted for theft\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Secret Target<\/td>\n<td><code>VAULT_TOKEN<\/code><\/td>\n<td>HashiCorp Vault token targeted for theft\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>File<\/td>\n<td><code>index.js<\/code><\/td>\n<td>Root-level malicious payload file injected into compromised packages\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/41463a42-244a-4713-ac22-9d12fcd7470e\/Hackers-Compromise-antv-Packages-in-Mini-Shai-Hulud-npm-Attack-Wave.pdf?AWSAccessKeyId=ASIA2F3EMEYEWYS2HVOA&amp;Signature=rUISmJQwC2uedp4tw8OtvJ54hZc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJHMEUCIQDh1gbtxykDub1SpoErt6PODN%2F2jFKasGRA23WfOTnlJwIgGZwY9rx74uN1dN73ZCM%2F0UobbUeRbmAqpJrkaWwh9Ogq%2FAQI0f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDCLKVG%2BDKsipWjUS6irQBBywH1mKlyuwFoqUxJBa6w5pEhxi%2FgRC4Sx4qlGrhOAvCactzU99lyu7PACQe6nt7rghAPhV25y%2B4Ghl24Wd%2BIgimS1aNb3dQ6R%2FddMzm5cSBzt9dQugxdZCjoaWz0btRUZtl3%2FEeFdSH9Fi9SOguUZhSmj%2FizB4swMWzXHQtiCjXZuOSW9cxSWw%2BzTnV6b9TiQFGo5QjG5IPrFf7SojxnROSzJZBHakEgSMnHImu2tfJFgB6zU9EvQeRW%2BvjvgzThc1j32SsdSuZlDCedEbJumxPFzSqmPuuiK%2F3mAUT3RMurOjz7AnHpDr0Lm2QLocCBcXZXri4%2BGw7bYl6wewiCXelG1KjCdjmqjIFdTucPMxbTHr87mcCGyfx6tJ5fbILEOZekXw9qH5blcw%2FKPiOxPLjGAP7%2F0Avn83M7%2BqKGYbXEvcyWM%2F1%2Bv6ZeWNIRxdRmp%2BimGh6uGo%2BsHCin00JHTIa0IRT%2BxBLeayvB0zDShnfXs68ke3etWnzILkYZiyv1oPvrOi2%2FD4WyHGbX7dEH6A%2BiHcaErpJyxfKHLiKtVTgpBxlig6hyv79SVGLiglQsG9XuphTMuq1yxBVCQsprYxjvh3Xq47TeTRvSSlYKbG8pEguYT7xIT9pxnT6soVVo2ZY8Hmflu%2FMuCmRpZRXdnDuXd6OKVD3M5YUwM5t4jL4cBCn91tX1oyfAZqWEv%2Bg54b%2Fa%2BlHMGHVCtM9xKzyxC5ebDX4S%2BD1s8XtLdLYjVhJ3ciJbRA8Pw6OT%2BaPNcKXoTX5V6Sb5LqSqIBwu88rlcw%2Bbmw0AY6mAEF0TyUzZ3%2FjcyTBNOyy1MSO4HpaGjwp4xmoV4qzIMpDrXqQFZ2lAb296IBi0j0SeRw9J7BiMIfu6GBjt%2BuMGzrfkE7w9HOaaeEe%2F1zsSUdl%2Bw9Mj8i%2Bqv6aWceFuozA6jy%2BeNk7wDNw33pT5Ztiz%2BthEVisBAB06mdvTbvc8H55iEEUmxOBoDVgEs1NCHzEJCZoQd7VZgvsw%3D%3D&amp;Expires=1779181204\"><\/a>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-compromise-antv-packages\/\">Hackers Compromise @antv Packages in Mini Shai-Hulud npm Attack Wave<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-compromise-antv-packages\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Compromise @antv Packages in Mini Shai-Hulud npm Attack Wave A sweeping supply chain attack has hit the npm ecosystem, compromising hundreds of widely used JavaScript packages tied to the @antv data visualization library. The attack, which unfolded in the early hours of May 19, 2026, injected malicious code into packages used by millions of [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12974","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12974"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12974"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12974\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12974"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12974"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12974"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}