323 npm packages got infected in 22 minutes. Right now, as you're reading this, a developer installing an AntV package somewhere might be handing over their AWS keys without knowing it.

TL;DR
TeamPCP hijacks npm maintainer account (atool) → injects malicious code into 323 AntV ecosystem packages → every install silently steals 20+ cloud credentials → data exfiltrated to 2,500+ GitHub repos
323
Unique packages compromised
22 min
Time to complete the attack
11M
Weekly downloads (echarts-for-react)
20+
Credential types stolen

What actually happened?

On May 19, 2026, at 01:39 UTC, something strange started happening in the npm ecosystem. In a 22-minute burst, 639 malicious package versions were published simultaneously — hitting the AntV data visualization libraries (@antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2), echarts-for-react, and timeago.js all at once.

Here's the thing: TeamPCP didn't break into npm itself. They compromised a single npm maintainer account called 'atool' — and that one account had publish permissions across hundreds of packages in the AntV ecosystem. One weak link, entire ecosystem down.

What struck me most wasn't the scale — it was the speed. 22 minutes. No human reaction time at all. By the time any security team could notice and start responding, tens of thousands of developers running CI/CD pipelines had already installed the infected versions.

Why is this a bigger deal than it looks?

Two things make this attack particularly nasty: the breadth of credentials it steals and Sigstore attestation forgery.

Act now: If you've installed any of the packages below recently, rotate your cloud credentials immediately. "I'll get to it later" is not a safe option here.
Package Weekly Downloads Status
echarts-for-react ~1.1M Compromised
@antv/g2 Hundreds of K Compromised
@antv/g6 Hundreds of K Compromised
@antv/x6 Hundreds of K Compromised
@antv/l7 Tens of K Compromised
timeago.js ~1.5M Compromised
size-sensor Hundreds of K Compromised
canvas-nest.js Tens of K Compromised

The malicious payload (~499KB obfuscated JavaScript) runs automatically via a preinstall hook during npm install. It systematically sweeps 130+ file paths for AWS, Google Cloud, Azure, GitHub tokens, npm tokens, SSH keys, Kubernetes service accounts, Vault, Stripe, and database connection strings. It even tries a Docker container escape via the host socket.

And here's the kicker — this attack forged Sigstore attestations. In CI/CD environments, it extracts GitHub Actions OIDC tokens directly from runner process memory, uses them to obtain legitimate Sigstore signing certificates. The green "provenance verified" badge still shows. Standard tooling can't tell the difference.

Stolen data was shipped to t.m-kosche[.]com:443, with Session P2P network (filev2.getsession[.]org) as a fallback. Attackers then used stolen GitHub tokens to create 2,500+ public repositories as distributed data dumps.

What to do right now

  1. Check if you're affected
    Search your package.json and package-lock.json for @antv/*, echarts-for-react, timeago.js. Run npm ls @antv/g2 to check transitive dependencies too.
  2. Remove persistence artifacts BEFORE rotating credentials
    The malware plants backdoors in.claude/settings.json hooks, VS Code tasks, and systemd daemons. If you rotate credentials first, those daemons will steal the new ones immediately. Order matters.
  3. Rotate all credentials
    AWS keys, GCP service accounts, Azure credentials, GitHub PATs, npm tokens, SSH keys — all of them. Not "just in case" — assume compromise.
  4. Audit your GitHub repos
    Search GitHub for "niagA oG eW ereH :duluH-iahS" (reverse of "Shai-Hulud: Here We Go Again"). That's how attackers labeled their data dump repositories.
  5. Enable npm 2FA
    GitHub already invalidated 61,274 npm access tokens. Reissue yours and enable 2FA with publish protection — the original attack vector was a compromised maintainer account.
  6. Use --ignore-scripts going forward
    npm install --ignore-scripts blocks preinstall/postinstall hook execution. Make this a default in your CI/CD pipelines.

Go deeper

Microsoft Security Blog analysis Official coverage of TeamPCP's TTPs and detection guidance per CI/CD environment. microsoft.com

Snyk technical deep-dive Covers the 498KB payload structure, AES-256-GCM encryption, RSA-OAEP key wrapping, and persistence mechanisms in detail. snyk.io

Orca Security remediation guide Step-by-step persistence artifact removal and CI/CD pipeline hardening recommendations. orca.security

Endor Labs — Sigstore forgery analysis Technical breakdown of SLSA Build Level 3 provenance forgery and detection methods. endorlabs.com

StepSecurity defense tools Open-source tooling for detecting the attack in GitHub Actions and automating defense configurations. stepsecurity.io