Mini Shai-Hulud Resurfaces; Compromised Maintainer of antv, timeago, and size-sensor Packages Revives Worm Activity

A maintainer's compromise led to the injection of malicious dependencies into several popular npm packages, affecting a wide array of the ecosystem, including high-usage libraries like @antv/*, timeago.js, and size-sensor. This breach exposed hundreds of packages to potential security risks, spreading malicious code throughout the supply chain. Semgrep has deployed rules to detect these malicious dependencies, advising developers to scan their projects for impact. The compromised packages are integral to user interface functionalities, such as time display, data visualization, and responsive design, often used as transitive dependencies in larger frameworks. Alternatives are suggested, such as javascript-time-ago, moment.js, Apache ECharts, and native browser support like ResizeObserver, to mitigate risks and provide additional features such as internationalization or improved developer experiences. The advisory warns that the malware executes during package installation, potentially affecting development environments, CI systems, and internal tooling, thereby emphasizing the need for thorough investigation and caution across all applications, not just public-facing ones.