Active Supply Chain Attack Compromises @antv Packages on npm

Socket's Threat Research team has identified a significant npm supply chain attack, affecting packages within the @antv ecosystem and others tied to a compromised npm maintainer account. This attack, part of a pattern known as Mini Shai-Hulud, involves the malicious publishing of hundreds of npm packages, including popular ones like echarts-for-react, which sees around 1.1 million weekly downloads. The attack exploits package lifecycle scripts to execute a heavily obfuscated JavaScript payload at install time, targeting developer environments and CI/CD systems by seeking sensitive credentials and secrets. The payload also incorporates various exfiltration methods, including direct HTTPS and a GitHub-based fallback mechanism, to transmit stolen data securely and covertly. Socket identified 639 compromised package versions across 323 packages in a recent wave, with the overall campaign spanning npm, PyPI, and Composer, highlighting the extensive reach and potential impact on organizations relying on these packages. This incident underscores the vulnerabilities in the npm ecosystem and the risks associated with automated dependency updates, as Socket continues to investigate and monitor the evolving threat landscape.