← Back to Cybersecurity News Center
Severity
CRITICAL
CVSS
9.5
Priority
0.938
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
On May 19, 2026, attackers injected malicious code into 639 versions of 323 npm packages within a single hour, targeting widely-used data visualization libraries from the AntV ecosystem and other high-download packages. The campaign introduces forged software provenance certificates, self-spreading worm behavior, and backdoors that persist inside developer IDE extensions after packages are cleaned up, meaning standard remediation may leave environments compromised. Any organization whose developers installed affected packages may have exposed source code, cloud credentials, Kubernetes secrets, and SSH keys to attacker-controlled infrastructure.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
CRITICAL
Critical severity — immediate action required
Actor Attribution
HIGH
Unattributed — Shai-Hulud campaign operator(s)
TTP Sophistication
HIGH
17 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
npm ecosystem: @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/g2plot, @antv/graphin, echarts-for-react, timeago.js, size-sensor, canvas-nest.js, jest-canvas-mock (323 packages, 639 malicious versions); Development environments: VS Code, Claude Code; CI/CD: GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI; Infrastructure: Kubernetes, Docker, HashiCorp Vault; Platforms: GitHub, Vercel, Netlify
Are You Exposed?
⚠
Your industry is targeted by Unattributed — Shai-Hulud campaign operator(s) → Heightened risk
⚠
You use products/services from npm ecosystem: @antv/g2 → Assess exposure
⚠
17 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A developer who installed any affected package during the exposure window may have handed attackers the keys to your cloud infrastructure, source code repositories, and internal secrets stores — not just the compromised machine. Because the malware persists inside IDE extensions that survive standard cleanup, and because stolen npm tokens enable the worm to republish infected code autonomously, the blast radius can expand after initial compromise without further attacker involvement. Organizations in software development, financial services, healthcare, or any regulated industry whose build pipelines touched these packages face potential unauthorized access to customer data, intellectual property theft, and breach notification obligations.
You Are Affected If
Your developers or CI/CD pipelines installed any of the following npm packages at versions published on or after 2026-05-19: @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/g2plot, @antv/graphin, echarts-for-react, timeago.js, size-sensor, canvas-nest.js, jest-canvas-mock
Your build environments (GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI) run npm install without lockfile integrity enforcement (npm ci) or without a private registry proxy that scans package contents
Developer workstations running VS Code or Claude Code installed any of the affected packages and have not had their IDE extensions audited and reinstalled from scratch
Your CI/CD pipelines rely on Sigstore or SLSA provenance attestation as a primary supply chain verification control without additional behavioral or content-level inspection
Kubernetes secrets, HashiCorp Vault tokens, cloud provider IAM credentials, GitHub tokens, or SSH keys were accessible from affected developer machines or build environments and have not yet been rotated
Board Talking Points
Attackers compromised over 600 versions of widely-used developer tools in a single hour, targeting the credentials and cloud access of any engineer who installed them.
Security teams should immediately audit developer machines and build pipelines for affected packages and rotate all cloud and repository credentials — this week, not next sprint.
Organizations that do not act risk ongoing, undetected access to source code and cloud infrastructure, because the malware survives standard cleanup and can continue spreading autonomously using stolen tokens.
Technical Analysis
The Shai-Hulud Wave 3 campaign executed on 2026-05-19, pushing 639 malicious versions across 323 npm packages in under 60 minutes (per BleepingComputer, Aikido, and StepSecurity reporting as of 2026-05-20).
Confirmed affected packages include @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/g2plot, @antv/graphin, echarts-for-react, timeago.js, size-sensor, canvas-nest.js, and jest-canvas-mock.
Five novel capabilities distinguish this wave from prior Shai-Hulud activity:
1.
Forged Sigstore/SLSA provenance attestations (CWE-295, CWE-494): Malicious versions carried fabricated attestation signatures designed to pass standard supply chain verification tooling, undermining attestation-based controls in CI/CD pipelines.
2. Self-propagating worm (CWE-506, T1195.001 , T1554 ): Malware harvested npm tokens from compromised developer environments and used them to republish infected versions, enabling autonomous lateral spread across the registry without further attacker interaction.
3. IDE-layer persistence (T1176 , T1547 ): Backdoors were implanted in VS Code and Claude Code extensions. These persist after npm package removal, surviving standard incident response cleanup steps.
4. Credential harvesting (CWE-522, CWE-312, T1552.001 , T1552.004 , T1528 , T1550.001 ): Targeted artifacts include GitHub tokens, AWS/GCP/Azure credentials, Kubernetes secrets, HashiCorp Vault tokens, Docker credentials, and SSH private keys.
5. P2P exfiltration via Session Protocol encrypted channels (T1041 , T1567 , T1027 ): Stolen data exits over peer-to-peer encrypted channels, bypassing perimeter egress monitoring and network-based DLP.
Additional MITRE techniques observed: T1059.007 (JavaScript execution), T1053 (scheduled tasks for persistence), T1078 /T1078.001 (valid account abuse), T1567.001 (exfiltration to code repository), T1650 (acquire access).
No CVE IDs assigned. No vendor-issued patches; remediation requires version pinning, audit of installed extensions, and credential rotation. As of 2026-05-20, no official security advisory has been published by npm or GitHub Security. This assessment relies on T3 threat intelligence sources (BleepingComputer, Aikido, StepSecurity); verification from npm, GitHub Security, or CISA is pending. Confidence in TTP and affected package list is high based on cross-source corroboration, but readers should monitor official channels for updated guidance.
CWE references: CWE-494 (Download of Code Without Integrity Check), CWE-295 (Improper Certificate Validation), CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), CWE-312 (Cleartext Storage of Sensitive Information), CWE-506 (Embedded Malicious Code), CWE-522 (Insufficiently Protected Credentials).
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to CISO, legal, and external IR retainer immediately if HashiCorp Vault audit logs, Kubernetes RBAC logs, or cloud provider audit logs confirm unauthorized secret access or API calls using compromised credentials, or if npm registry evidence shows the worm successfully published malicious versions under your organization's package namespaces — either condition indicates active data exfiltration or downstream customer impact triggering breach notification assessment.
1
Step 1: Containment — Pin @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/g2plot, @antv/graphin, echarts-for-react, timeago.js, size-sensor, canvas-nest.js, and jest-canvas-mock to versions published before 2026-05-19 in all CI/CD pipelines. Block npm install from pulling versions dated 2026-05-19 or later for these packages. Isolate any build system or developer workstation that installed affected versions since 2026-05-19. Enforce egress filtering on isolated systems to block Session Protocol P2P traffic patterns. (Cite: NIST AC-4 — Information Flow Enforcement / NIST AC-6 — Least Privilege / CIS 2.3 — Address Unauthorized Software / D3-UAP — User Account Permissions)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy: isolate affected systems, prevent further spread before eradication begins
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST CM-3 (Configuration Change Control)
CIS 2.3 (Address Unauthorized Software)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Run `npm ls --all 2>/dev/null | grep -E '@antv/(g2|g6|x6|l7|g2plot|graphin)|echarts-for-react|timeago.js|size-sensor|canvas-nest.js|jest-canvas-mock'` across all developer workstations via a pushed shell script or Ansible ad-hoc task. For CI/CD blocking without a paid registry proxy, add a pre-install step to GitHub Actions or GitLab CI that fails the build if any of the 11 package names appear in `package-lock.json` or `yarn.lock` with a version published after 2026-05-18: use `node -e "const l=require('./package-lock.json'); Object.keys(l.packages).forEach(p=>{if(/<affected-pkg-regex>/.test(p)) process.exit(1)})"`. Network-isolate affected build runners by removing their outbound internet routing rules at the host firewall level using `iptables -I OUTPUT -j DROP` until the pipeline is patched.
Preserve Evidence
Before isolating, snapshot the full resolved dependency tree with `npm ls --all --json > dep-tree-$(hostname)-$(date +%Y%m%d%H%M%S).json` to preserve which malicious versions were present. Capture `~/.npm/_cacache/` directory listing and `package-lock.json` / `yarn.lock` from every affected project — these record the exact resolved version hashes that were installed and will confirm whether compromised versions were fetched. Preserve CI/CD runner job logs from GitHub Actions (`~/.npm/_logs/`, runner `_diag/` directory) or GitLab CI job artifacts that show `npm install` output with resolved version strings for the 11 packages between 2026-05-19T00:00Z and present.
2
Step 2: Detection — Audit all CI/CD build logs and local npm cache logs for installs of affected packages with version timestamps on or after 2026-05-19 (Cite: NIST AU-2 — Event Logging / NIST AU-6 — Audit Record Review, Analysis, And Reporting / CIS 8.2 — Collect Audit Logs). Enumerate VS Code and Claude Code extensions on all developer workstations using 'code --list-extensions'; flag any extension installed or modified after 2026-05-18 not present in your approved software inventory (Cite: CIS 2.1 — Establish and Maintain a Software Inventory / CIS 2.3 — Address Unauthorized Software / D3-SFA — System File Analysis). Query secrets management audit logs in HashiCorp Vault, Kubernetes, and cloud providers for access events originating from developer workstation IPs or CI/CD runner IPs during the exposure window (Cite: NIST AU-6 — Audit Record Review, Analysis, And Reporting / NIST AU-3 — Content Of Audit Records). Monitor for outbound encrypted UDP/TCP traffic to unfamiliar endpoints inconsistent with known npm, GitHub, or CDN egress patterns — Session Protocol P2P exfiltration will not match standard vendor ranges (Cite: NIST AC-4 — Information Flow Enforcement / D3-PBWSAM — Proxy-based Web Server Access Mediation / D3-EBWSAM — Endpoint-based Web Server Access Mediation). Analyze startup configuration files and process init entries on affected systems for persistence artifacts introduced by IDE backdoors (Cite: D3-SICA — System Init Config Analysis).
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: correlate indicators across log sources, identify scope of compromise, and declare incident when criteria are met
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Enumerate VS Code extensions on all developer machines with `code --list-extensions --show-versions > vscode-extensions-$(hostname)-$(date +%Y%m%d).txt`; diff output against a known-good baseline or flag any extension with a `lastModifiedDate` (found in `~/.vscode/extensions/<ext>/package.json`) after 2026-05-18. For Claude Code, inspect `~/.claude/extensions/` or the equivalent platform directory for recently written files using `find ~/.claude -newer /tmp/ref_date -type f`. Detect Session Protocol P2P exfiltration traffic without a SIEM by running `tcpdump -nn -i any 'not (dst net 104.16.0.0/12 or dst net 151.101.0.0/16 or dst net 8.8.8.0/24) and (udp or tcp) and not port 443' -w session-p2p-$(date +%Y%m%d).pcap` on developer workstation network segments; Session Protocol uses onion-routed encrypted UDP that will produce sustained traffic to rotating IPs not in npm/CDN ASNs. Query HashiCorp Vault audit log (`vault audit list`; default log at `/var/log/vault/audit.log`) for `auth.accessor` values tied to developer or CI runner tokens during the exposure window using `jq 'select(.time >= "2026-05-19") | select(.request.remote_address | test("<dev-subnet>"))' audit.log`.
Preserve Evidence
Collect VS Code extension directory timestamps (`ls -la ~/.vscode/extensions/`) and the `package.json` of each extension installed or modified after 2026-05-18 — the backdoor will present as a new or silently updated extension. Extract npm install history from `~/.npm/_logs/*.log` filtering for the 11 package names. Pull HashiCorp Vault audit logs and Kubernetes API server audit logs (`/var/log/kubernetes/audit.log` or via `kubectl get events`) for secret read operations (`secrets/data/*` in Vault; `get`/`list` on `secrets` resource in k8s) from workstation or runner IPs after 2026-05-19. Capture a full packet capture or firewall flow logs showing outbound UDP/TCP to non-registry endpoints from build machines during the exposure window to identify Session Protocol C2 beaconing patterns.
3
Step 3: Eradication — Remove all affected package versions from lockfiles and caches. Pin to pre-2026-05-19 versions verified against npm's public registry. Validate lockfile integrity hashes (package-lock.json integrity field or yarn.lock sha512) against the registry-published values for pre-compromise versions; do not use cached or mirror-sourced versions (Cite: CIS 2.1 — Establish and Maintain a Software Inventory / CIS 4.6 — Securely Manage Enterprise Assets and Software / D3-FMBV — File Magic Byte Verification). Remove and reinstall VS Code and Claude Code extensions from scratch on any machine that installed affected packages; do not audit in place (Cite: CIS 2.3 — Address Unauthorized Software / D3-SFA — System File Analysis). Revoke and rotate all credentials accessible from affected environments: GitHub tokens, AWS/GCP/Azure IAM keys, Kubernetes service account tokens, HashiCorp Vault tokens, Docker registry credentials, SSH keys, and npm tokens. Treat npm tokens on affected developer machines as compromised to stop worm self-propagation (Cite: NIST AC-2 — Account Management / CIS 6.2 — Establish an Access Revoking Process / D3-CRO — Credential Rotation / D3-CH — Credential Hardening). Enforce least privilege on remaining active credentials — revoke any access rights not required for defined roles (Cite: NIST AC-6 — Least Privilege / D3-UAP — User Account Permissions).
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication: remove threat artifacts from all affected systems, verify removal, and address root causes before recovery begins
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST IA-5 (Authenticator Management)
CIS 5.4 (Restrict Administrator Privileges to Dedicated Administrator Accounts)
CIS 7.4 (Perform Automated Application Patch Management)
Compensating Control
Verify clean package checksums by running `npm view <package>@<version> dist.integrity` for each pinned version and comparing against the `integrity` field in your `package-lock.json` — mismatches confirm tampered packages. Purge the npm cache entirely with `npm cache clean --force` and delete `node_modules` before reinstalling. For VS Code, fully remove the extensions directory (`rm -rf ~/.vscode/extensions`) and re-provision from a curated list using `cat approved-extensions.txt | xargs -I{} code --install-extension {}` — do not use 'Update All' from within a potentially backdoored instance. Revoke GitHub tokens via `gh auth token` and the GitHub API (`DELETE /applications/{client_id}/token`); rotate Kubernetes service account tokens by deleting and recreating the secret (`kubectl delete secret <sa-token-secret> -n <namespace>`); cycle HashiCorp Vault tokens with `vault token revoke -accessor <accessor>` for each exposed accessor found in audit logs.
Preserve Evidence
Before wiping `~/.vscode/extensions/`, take a forensic copy of all extension directories modified after 2026-05-18 — the backdoor source files will contain the malicious payload and may reveal C2 addresses or exfiltration logic for threat intelligence. Preserve `~/.npmrc` and `/etc/npmrc` showing any token values before rotation, storing them in a secured evidence repository (not version control). Document all Kubernetes secrets and Vault paths that were readable by compromised service accounts by running `vault token capabilities <token> <path>` against each suspected path before revocation — this scopes the data-at-risk for breach notification assessment. Capture the process list and loaded module list (`ps auxf`, `lsmod` on Linux; `Get-Process` on Windows) from affected machines before reimaging to detect any persistence mechanisms beyond IDE extensions.
4
Step 4: Recovery — After credential rotation, review cloud provider access logs (AWS CloudTrail, GCP Audit Logs, Azure Activity Log) under AU-6 for anomalous API calls using old credentials during the exposure window. Verify Kubernetes RBAC and HashiCorp Vault audit logs for unauthorized secret access during the same window (Cite: NIST AU-6 — Audit Record Review, Analysis, And Reporting / NIST AU-3 — Content Of Audit Records / NIST AU-11 — Audit Record Retention). Re-run the full dependency tree build from a clean environment with lockfile integrity verification enabled (npm ci, not npm install) (Cite: CIS 4.6 — Securely Manage Enterprise Assets and Software / D3-FMBV — File Magic Byte Verification). Monitor CI/CD pipeline outputs for unauthorized new package versions published to npm under your organization's namespaces — the worm uses stolen tokens to republish, so watch for unexpected version bumps (Cite: NIST AU-6 — Audit Record Review, Analysis, And Reporting / CIS 8.2 — Collect Audit Logs). Validate that no unauthorized accounts were created or privilege escalations occurred during the exposure window (Cite: NIST AC-2 — Account Management / D3-LAM — Local Account Monitoring).
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery: restore systems to normal operation, verify integrity of restored systems, and monitor for recurrence
NIST IR-4 (Incident Handling)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-11 (Audit Record Retention)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-3 (Configuration Change Control)
CIS 7.2 (Establish and Maintain a Remediation Process)
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory)
Compensating Control
Query AWS CloudTrail for API calls by the compromised IAM keys using `aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=<rotated-user> --start-time 2026-05-19 --end-time <rotation-date>` filtering for `CreateUser`, `PutRolePolicy`, `GetSecretValue`, `AssumeRole`, and `s3:GetObject` event names that indicate lateral movement or data access. Monitor your npm organization namespaces for unauthorized publishes by polling `https://registry.npmjs.org/-/v1/search?text=maintainer:<your-org>&updated_after=<epoch>` or subscribing to npm's webhook for your organization — the Shai-Hulud worm publishes new malicious versions using stolen tokens within minutes of credential theft, so polling frequency should be every 5 minutes during the active recovery window. Re-run `npm ci` (not `npm install`) from a clean ephemeral build container using a pinned base image with no pre-existing `node_modules` or npm cache, and verify the resulting `node_modules/.package-lock.json` integrity hashes match your approved lockfile.
Preserve Evidence
Preserve AWS CloudTrail, GCP Audit Logs, and Azure Activity Log exports for the full exposure window (2026-05-19 through credential rotation date) before log retention windows expire — these are the primary evidence source for determining whether stolen IAM credentials were used for data exfiltration or privilege escalation. Export Kubernetes audit logs showing all `get`/`list`/`watch` operations on `secrets` resources by compromised service account identities. Retain npm registry publish history for your organization's packages (retrievable via `npm info <package> time --json`) to document whether the worm successfully republished any of your packages using stolen tokens — this is critical evidence for downstream customer notification decisions.
5
Step 5: Post-Incident — This campaign forged Sigstore/SLSA provenance certificates, defeating attestation-based supply chain defenses. Evaluate whether your pipeline's provenance verification detects forged attestations or relies solely on signature presence; supplement signature checks with certificate chain validation (Cite: D3-ACA — Active Certificate Analysis). Implement IDE extension allowlisting policies for all developer workstations — unmanaged extension installation was the persistence vector (Cite: CIS 2.1 — Establish and Maintain a Software Inventory / CIS 2.3 — Address Unauthorized Software / CIS 4.6 — Securely Manage Enterprise Assets and Software). Enforce npm ci over npm install in all pipelines and evaluate private registry proxies with content inspection to intercept malicious versions before they reach build environments (Cite: NIST AC-4 — Information Flow Enforcement / D3-PBWSAM — Proxy-based Web Server Access Mediation). Conduct an operational dependency mapping exercise to identify which internal systems and pipelines consumed the affected packages and remain at residual risk (Cite: D3-ODM — Operational Dependency Mapping). Require MFA on all npm publish-capable accounts and CI/CD service accounts to reduce the worm's ability to propagate via stolen tokens (Cite: CIS 6.5 — Require MFA for Administrative Access / D3-MFA — Multi-factor Authentication). Map identified control gaps to your software inventory and account management policies and update remediation timelines (Cite: CIS 7.1 — Establish and Maintain a Vulnerability Management Process / CIS 7.2 — Establish and Maintain a Remediation Process).
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: lessons learned meeting, evidence retention, capability improvement, and threat intelligence sharing
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST SA-12 (Supply Chain Protection)
NIST RA-3 (Risk Assessment)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
Compensating Control
For IDE extension allowlisting without an MDM/endpoint management platform, enforce VS Code extension policy via a workspace `.vscode/extensions.json` with `unwantedRecommendations` listing all non-approved extension IDs, and deploy a Git pre-commit hook that fails if `.vscode/extensions.json` is modified without a code review approval. Implement Sigstore cosign signature transparency log verification in CI/CD by adding `cosign verify --certificate-identity-regexp=<expected-issuer> --certificate-oidc-issuer=https://token.actions.githubusercontent.com <image>` as a mandatory pipeline gate — this validates the certificate identity chain, not just signature presence, which is the gap the Shai-Hulud campaign exploited. Stand up a local Verdaccio private registry proxy (`npx verdaccio`) configured to cache and content-inspect packages against a YARA ruleset targeting the malicious payload patterns identified in this campaign before forwarding to the public registry.
Preserve Evidence
Retain all forensic artifacts, build logs, and cloud audit exports for a minimum of 12 months to support potential regulatory breach notification timelines and any downstream customer disclosure requirements. Document the exact Sigstore/SLSA attestation artifacts that were accepted by your pipeline for the compromised package versions — these forged certificates are primary evidence for reporting to Sigstore's transparency log monitors and for improving attestation verification logic. Produce a post-incident timeline mapping the 639 malicious version publish timestamps (all within a one-hour window on 2026-05-19) against your CI/CD build job history to precisely bound the exposure window for each affected system and support accurate breach scope determination.
Recovery Guidance
After credential rotation and environment rebuild, maintain elevated monitoring on your organization's npm package namespaces and cloud provider IAM activity for a minimum of 30 days, as the Shai-Hulud worm's use of stolen tokens for self-propagation means secondary infections in connected developer environments may not surface immediately. Verify that all rebuilt CI/CD pipelines produce deterministic builds using `npm ci` with lockfile integrity checks and that no pipeline stages have write access to npm registry credentials except a dedicated, gated publish job. Confirm with all affected developers that VS Code and Claude Code extensions have been fully wiped and reinstalled — do not accept self-reported audits, as the IDE backdoor is specifically designed to survive cleanup attempts that stop short of full extension directory deletion.
Key Forensic Artifacts
VS Code extension directory forensic copy (~/.vscode/extensions/ on Linux/macOS, %USERPROFILE%\.vscode\extensions\ on Windows): extensions installed or modified after 2026-05-19 are the primary persistence artifacts for the IDE backdoor component; preserve full directory with timestamps before any remediation
npm cache and lockfile artifacts (~/.npm/_cacache/, package-lock.json, yarn.lock, .yarn/cache/): contain cryptographic integrity hashes of the exact malicious package versions fetched, enabling confirmation of which of the 639 compromised versions were installed on each system
HashiCorp Vault audit log (/var/log/vault/audit.log or Vault audit backend output): JSON-structured log of every secret read/write operation with requestor token accessor, remote IP, and timestamp — primary evidence for determining which secrets were accessed from compromised developer or CI runner identities during the exposure window
Network packet capture or firewall flow logs showing outbound UDP/TCP from build machines to non-npm-registry endpoints: Session Protocol P2P exfiltration traffic produces sustained encrypted flows to rotating IP addresses outside npm registry ASNs (Fastly AS54113, Cloudflare AS13335); these flows are the forensic signature of active exfiltration by the malicious package payload
AWS CloudTrail / GCP Audit Logs / Azure Activity Log exports for the exposure window (2026-05-19 through credential rotation): API calls using compromised IAM keys, GitHub tokens, or service account credentials are the authoritative record of post-exploitation lateral movement and data access, and are required for breach scope determination and regulatory notification decisions
Detection Guidance
Detection for Shai-Hulud Wave 3 requires coverage across four layers: package install telemetry, IDE extension state, network egress anomalies, and secrets access audit logs.
1.
Package Install Telemetry (NIST AU-2, AU-3, AU-6 / CIS 8.2): Query CI/CD build logs and local npm cache logs for any install of @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/g2plot, @antv/graphin, echarts-for-react, timeago.js, size-sensor, canvas-nest.js, or jest-canvas-mock where the version's npm registry publish timestamp falls on or after 2026-05-19.
AU-2 requires identifying loggable event types; ensure npm install events with package version and timestamp fields are in scope.
AU-3 requires audit records to capture what occurred, when, and from which source — confirm CI/CD log schemas include package name, version string, and install timestamp. AU-6 requires regular review of these records for indicators of compromise; automate a query against the 639 malicious version fingerprints.
2. IDE Extension Audit (CIS 2.1, 2.3 / D3-SFA — System File Analysis): Run 'code --list-extensions --show-versions' on all developer workstations and compare output against your authorized software inventory maintained under CIS 2.1. Flag any extension installed or last-modified after 2026-05-18 that is absent from the approved list. D3-SFA applies directly here — monitor the VS Code extension directory and Claude Code plugin paths as system files for unauthorized modification. Unrecognized extensions with filesystem or network permissions are high-confidence indicators of persistent IDE backdoor installation.
3. Network Egress Anomalies (NIST AC-4 / D3-PBWSAM, D3-EBWSAM): Session Protocol P2P exfiltration uses encrypted UDP and TCP to endpoints outside standard npm registry, GitHub, and CDN IP ranges. Standard DLP and egress filters tuned to known vendor ranges will not catch this traffic. Apply AC-4 Information Flow Enforcement controls to enforce allowlist-based egress from developer workstations and CI/CD runners — any encrypted traffic to endpoints not on the approved egress list should alert. D3-PBWSAM (Proxy-based Web Server Access Mediation) and D3-EBWSAM (Endpoint-based Web Server Access Mediation) provide the countermeasure pattern: route all developer and build system egress through an inspecting proxy and flag connections to unlisted endpoints. Correlate flagged egress IPs against known Session Protocol P2P node ranges as threat intelligence becomes available.
4. Secrets and Credential Access Audit (NIST AU-6, AU-3, AU-11 / D3-LAM — Local Account Monitoring): Query HashiCorp Vault audit logs, Kubernetes API server audit logs, and cloud provider access logs (AWS CloudTrail, GCP Audit Logs, Azure Activity Log) for secret or credential read events where the source IP matches developer workstation or CI/CD runner addresses during the 2026-05-19 exposure window. AU-3 requires records to capture the source of the access event — confirm your Vault and Kubernetes audit configurations include requesting IP and identity fields. AU-11 requires retaining these records long enough for post-incident analysis; validate retention settings cover your incident review window. D3-LAM applies to monitoring local and service accounts on CI/CD runners for unexpected secret access patterns.
5. Forged Provenance Certificate Detection (D3-ACA — Active Certificate Analysis): Standard Sigstore/SLSA signature-presence checks will not detect forged attestations in this campaign. Apply D3-ACA by actively collecting and analyzing the certificate chain presented in provenance attestations — validate issuer, subject, and certificate transparency log inclusion rather than accepting signature presence as proof of legitimacy. Flag any provenance certificate whose CT log entry postdates the package publish timestamp or whose issuer chain does not trace to the expected Sigstore root.
Indicators of Compromise (5)
Export as
Splunk SPL
KQL
Elastic
Copy All (5)
1 domain
4 urls
Type Value Enrichment Context Conf.
⌘ DOMAIN
registry.npmjs.org (malicious versions)
VT
US
Malicious package versions were published to the official npm registry for 11 confirmed packages including @antv/g2, @antv/g6, @antv/x6. Block or audit installs of versions with publish timestamps on or after 2026-05-19.
HIGH
🔗 URL
https://www.npmjs.com/package/@antv/g2 (versions >= 2026-05-19)
VT
US
Confirmed affected package namespace. Treat any version published on or after 2026-05-19 as suspect until npm security team confirms clean versions.
HIGH
🔗 URL
https://www.npmjs.com/package/@antv/g6 (versions >= 2026-05-19)
VT
US
Confirmed affected package namespace.
HIGH
🔗 URL
https://www.npmjs.com/package/echarts-for-react (versions >= 2026-05-19)
VT
US
Confirmed affected package namespace.
HIGH
🔗 URL
Session Protocol P2P network (encrypted exfiltration channel)
VT
US
Stolen credentials and secrets were exfiltrated over Session Protocol encrypted P2P channels. Flag outbound encrypted traffic to unfamiliar endpoints not matching npm/GitHub/CDN ranges from developer machines or CI/CD runners.
MEDIUM
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (2)
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Shai-Hulud Wave 3: Forged Provenance, P2P Exfiltration, and IDE Backdoors Mark a
let malicious_urls = dynamic(["Session Protocol P2P network (encrypted exfiltration channel)"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Malicious URLs hosted on legitimate platforms. The domain is safe — the specific URL path is the indicator.
KQL Query Preview
Read-only — detection query only
// Threat: Shai-Hulud Wave 3: Forged Provenance, P2P Exfiltration, and IDE Backdoors Mark a
// Specific malicious URLs on shared platforms
let suspicious_urls = dynamic(["https://www.npmjs.com/package/@antv/g2 (versions >= 2026-05-19)", "https://www.npmjs.com/package/@antv/g6 (versions >= 2026-05-19)", "https://www.npmjs.com/package/echarts-for-react (versions >= 2026-05-19)"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (suspicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (5)
Sentinel rule: Persistence via registry / startup
KQL Query Preview
Read-only — detection query only
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any ("\\CurrentVersion\\Run", "\\CurrentVersion\\RunOnce", "\\Winlogon\\", "\\Services\\")
| where RegistryValueData has_any (".exe", ".dll", ".bat", ".ps1", ".vbs", "cmd", "powershell", "http")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious scheduled task creation
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has "/create"
| where ProcessCommandLine has_any ("/sc minute", "/sc hourly", "powershell", "cmd /c", "http", "\\\\", "frombase64")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "registry.npmjs.org (malicious versions)",
"source": "SCC Threat Intel",
"description": "Malicious package versions were published to the official npm registry for 11 confirmed packages including @antv/g2, @antv/g6, @antv/x6. Block or audit installs of versions with publish timestamps on ",
"severity": "high",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-19T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["registry.npmjs.org (malicious versions)"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1176
T1554
T1550.001
T1547
T1552.004
T1053
+11
CM-7
SI-3
SI-4
AC-3
CA-7
SC-7
+10
A08:2021
A02:2021
A07:2021
A04:2021
2.5
2.6
3.10
5.2
6.3
15.1
+1
164.308(a)(5)(ii)(D)
164.312(d)
164.312(e)(1)
MITRE ATT&CK Mapping
T1176
Software Extensions
persistence
T1554
Compromise Host Software Binary
persistence
T1550.001
Application Access Token
defense-evasion
T1547
Boot or Logon Autostart Execution
persistence
T1053
Scheduled Task/Job
execution
T1041
Exfiltration Over C2 Channel
exfiltration
T1528
Steal Application Access Token
credential-access
T1567.001
Exfiltration to Code Repository
exfiltration
T1567
Exfiltration Over Web Service
exfiltration
T1027
Obfuscated Files or Information
defense-evasion
T1650
Acquire Access
resource-development
T1078
Valid Accounts
defense-evasion
T1195.001
Compromise Software Dependencies and Development Tools
initial-access
T1552.001
Credentials In Files
credential-access
Guidance Disclaimer
