Shai-Hulud Campaign Returns Targeting npm Maintainer Accounts

The Shai-Hulud campaign has resurfaced, focusing on compromising npm maintainer accounts to inject malicious code directly into the software supply chain. This avoids the need to exploit traditional vulnerabilities. The latest wave of attacks, observed in May 2026, targeted the Ant Design (AntV) ecosystem. Successful compromises of maintainer accounts allowed attackers to publish malicious versions of trusted packages. This resulted in downstream developers unknowingly incorporating backdoored code into their projects, potentially leading to credential theft and remote code execution within their environments. The re-emergence of Shai-Hulud highlights the ongoing risk of supply chain attacks and the importance of securing developer accounts.

Attack Chain

1. Attacker identifies a target npm package within the Ant Design (AntV) ecosystem.
2. Attacker gains unauthorized access to the npm account of the package maintainer, likely through credential theft or account compromise.
3. Attacker injects malicious code into the package’s source code, potentially targeting credential theft and remote code execution.
4. Attacker publishes a new, compromised version of the npm package to the npm registry.
5. Downstream developers unknowingly update their projects to use the compromised package version.
6. The malicious code executes within the developers’ environments, potentially stealing credentials or establishing a reverse shell for remote access.

Impact

This campaign has the potential to compromise numerous downstream developers who rely on the affected Ant Design (AntV) npm packages. Successful exploitation could lead to widespread credential theft, allowing attackers to pivot to other systems and resources. Remote code execution could grant attackers persistent access to developer environments, enabling further malicious activities, including supply chain attacks on other projects.

Recommendation

• Monitor npm package updates for unexpected changes in dependencies or file hashes that could indicate a compromised package (review file_event logs for npm package directories).
• Implement multi-factor authentication (MFA) for all npm accounts to prevent account compromise.
• Deploy the Sigma rule to detect suspicious network connections originating from npm-related processes.