Hackers have compromised dozens of popular open source packages in an ongoing supply chain attack

Source: TechCrunch

Image Credits: fotograzia / Getty Images

Overview

Hackers have compromised dozens of popular open‑source packages in an ongoing supply‑chain attack that targets developers and the projects they maintain. The campaign, dubbed “Mini Shai‑Hulud,” follows a previous, larger‑scale intrusion and aims to inject malicious updates that downstream users automatically receive.

Details of the attack

• Timeline: The attackers took control of a developer’s account and, within roughly 20 minutes, published more than 630 malicious versions across 317 packages.
• Motivation: The primary goal is credential theft—particularly passwords stored in password managers—to facilitate further data exfiltration and malware propagation.
• Method: By compromising the maintainer’s account, the attackers can push malicious releases to package registries (e.g., npm) and, in some cases, directly to GitHub repositories.

Affected projects

• AntV – a visualization library maintained by Alibaba.
• Additional packages spanning various ecosystems were also compromised; the full list is detailed in the reports from StepSecurity and SafeDep.

“Hackers took over the account of one developer and released over 630 malicious versions across 317 packages in about 20 minutes.” – SafeDep

Related incidents

• OpenAI breach: In a separate wave of Mini Shai‑Hulud attacks, hackers compromised the computers of two OpenAI employees after breaching the open‑source library TanStack. OpenAI was among several victims.
  • Source: TechCrunch – OpenAI says hackers stole some data after latest code security issue

Further reading

• StepSecurity blog post: Shai‑Hulud – Here we go again: mass npm supply‑chain attack hits the AntV ecosystem
• SafeDep analysis: Mini Shai‑Hulud strikes again – 314 npm packages compromised
• JFrog Security tweet on malicious GitHub updates