- Between 01:56 and 02:56 UTC on May 19, 2026, threat actors published 639 malicious npm package versions across 323 packages โ representing over 15 million monthly downloads โ by compromising a single npm publisher account.
- The Shai-Hulud worm exfiltrates stolen credentials through Session's encrypted P2P messaging network, making its command-and-control traffic invisible to standard outbound monitoring tools and conventional threat intelligence feeds.
- A novel Sigstore attestation bypass allows malicious packages to display valid provenance badges, directly undermining a widely adopted software supply chain security control that many teams treat as a final trust signal.
- TeamPCP's decision to release the worm's full source code and run a gamified BreachForums contest has transformed this into a crowdsourced attack โ security teams should prepare for sustained, copycat waves well beyond this initial incident.
What Happened
639. That is how many malicious npm package versions threat actor group TeamPCP injected into the world's largest JavaScript registry in approximately 60 minutes on May 19, 2026. According to BleepingComputer, the attack began at 01:56 UTC by compromising 'atool' โ the npm publisher account responsible for the @antv ecosystem, a suite of data visualization libraries covering charting, graph rendering, and geographic mapping tools embedded in production applications across the enterprise software landscape.
The blast radius extended well beyond the @antv namespace. Packages with no direct relationship to that ecosystem โ including timeago.js, size-sensor, echarts-for-react, and canvas-nest.js โ were also weaponized within that same hour window. Collectively, the 323 affected packages represent more than 15 million monthly downloads. Socket.dev's automated analysis platform detected and flagged all 639 malicious versions during the attack window itself, noting that the worm deployed via a 'preinstall' hook in each package's manifest file and invoked its payload through the Bun JavaScript runtime โ a choice specifically designed to circumvent detection tooling calibrated for Node.js environments.
TeamPCP made a pivotal strategic move roughly a week before this wave: on approximately May 12, 2026, the group released Shai-Hulud's complete source code publicly. They then partnered with BreachForums โ a well-known cybercriminal marketplace โ to offer a $1,000 USD prize denominated in Monero (a privacy-focused cryptocurrency) to participants whose compromised packages accumulated the highest cumulative download counts. StepSecurity analysts described this as converting a targeted supply chain campaign into a crowdsourced attack surface, warning that organizations should prepare for a sustained spike in similar compromise activity from copycat threat actors with no prior expertise requirements.
Photo by Xavier Cee on Unsplash
Why It Matters for Your Organization's Security
Two technical capabilities in this wave set it apart from prior supply chain compromises and should drive immediate review under any serious cybersecurity best practices framework.
Covert exfiltration via Session P2P. The worm routes stolen data โ credentials, environment variables, API keys, CI/CD pipeline tokens โ through the Session encrypted messaging network, a decentralized privacy-focused protocol. At the network perimeter, this traffic is structurally indistinguishable from a developer legitimately using the Session messaging app. Standard outbound traffic monitoring, data loss prevention (DLP) controls, and threat intelligence feeds that maintain blocklists of known-malicious IP addresses will not catch this channel. GitHub repositories serve as a secondary exfiltration fallback, adding redundancy to the attacker's data pipeline and ensuring that even if one channel is eventually detected, stolen data has likely already been transmitted.
Sigstore attestation spoofing. This is the capability that should most concern any security team that implemented provenance verification as a supply chain hardening measure after high-profile incidents like Log4Shell or the XZ Utils backdoor. The malware abuses OIDC tokens (identity tokens issued by CI/CD platforms such as GitHub Actions) captured from compromised build environments to generate legitimate Sigstore provenance attestations through Fulcio and Rekor โ the certificate authority and transparency log services that underpin modern supply chain signing. In practical terms: a malicious package passes npm's provenance check and displays a valid 'verified' badge. Endor Labs documented an earlier variant of this badge-spoofing tactic in a prior AntV campaign involving 42 packages; the May 19 wave operationalized it at scale across 323 packages in a single hour.
Chart: Monthly download volumes for the four most-downloaded packages compromised in the May 19, 2026 Shai-Hulud wave. Data: Socket.dev, May 2026.
The exposure is concrete. Size-sensor logs approximately 4.2 million monthly downloads; echarts-for-react reaches 3.8 million. Both are embedded in production dashboards and internal tooling across thousands of organizations. As Endor Labs highlighted, timeago.js and size-sensor had not published new versions in years before this attack โ making the sudden versioned publish a behavioral anomaly that static dependency scanning alone would not surface. Earlier Shai-Hulud waves had already compromised packages in the TanStack ecosystem, Mistral AI's toolchain, SAP's CAP development framework, and Guardrails AI libraries. The escalation pattern is consistent: compromise high-download-count publisher accounts, spoof provenance signals, exfiltrate via covert channels. The data protection implications extend to any developer who executed npm install in an affected environment: every secret accessible at that moment should be treated as potentially exfiltrated. The security awareness gap this exploits is the assumption that a signed, attested package is a safe package โ an assumption this campaign has formally invalidated. For context on how plugin and dependency sprawl amplifies this kind of blast radius, SaaS Tool Scout's analysis of enterprise plugin ecosystems illustrates why reducing unnecessary dependency surface area is increasingly a security imperative, not just an engineering preference.
The AI Angle
The detection story here starts with behavioral AI. Socket.dev's platform identified all 639 malicious versions during the active attack window โ not in a post-incident forensic sweep. The system's behavioral threat intelligence engine flagged a compound signal: a preinstall hook executing an unusual runtime binary (Bun), followed by outbound connections to Session P2P endpoints, combined with a credential-access pattern consistent with environment variable harvesting. No prior signature existed for this exact payload combination. That is the operational advantage of AI-powered software composition analysis (SCA) โ it identifies anomalous behavior rather than waiting for a known-malicious fingerprint to be registered and distributed.
Endor Labs applied a complementary lens rooted in statistical security awareness: packages like timeago.js had not published new versions in years. Machine learning models trained on publish cadence, account activity history, and dependency graph changes treat a sudden versioned release from a long-dormant account as a high-confidence anomaly. Organizations lacking behavioral SCA in their CI/CD pipelines are navigating this threat landscape without the primary compensating control that actually detects Sigstore bypass attacks. Signature-based tools are, by design, one step behind an attacker who releases new source code before deploying it.
What Should You Do? 3 Action Steps
Cross-reference your package-lock.json or yarn.lock against Socket.dev's published registry of the 323 compromised packages from the May 19 attack wave. Prioritize the @antv namespace, size-sensor, echarts-for-react, timeago.js, and canvas-nest.js. If any affected version is present in your dependency tree, activate your incident response plan immediately: rotate all secrets, API keys, CI/CD platform tokens, and cloud provider credentials that were accessible in the affected environment during the last npm install run. Do not treat this as a routine dependency update โ treat it as a confirmed breach scope until forensic review concludes otherwise. This distinction between routine patching and active incident response is a foundational element of any mature cybersecurity best practices program.
The Sigstore attestation bypass depends on capturing valid OIDC tokens from a compromised build environment. Audit your GitHub Actions โ or equivalent CI platform โ workflow YAML files and apply least-privilege scoping: the id-token: write permission should be granted only to the specific jobs that genuinely require it, not as a blanket workflow-level setting. StepSecurity's Harden-Runner tool can automate this audit and enforce runtime constraints on outbound network calls from build jobs. Tightening OIDC token scopes also directly addresses the data protection risk for downstream environments that consume build artifacts generated by a compromised pipeline step.
Provenance badges are no longer a reliable standalone control. Add a behavioral software composition analysis tool โ Socket.dev, Endor Labs, or Snyk with behavioral enrichment โ to your CI/CD pipeline, configured to flag preinstall hooks, unusual runtime invocations, and anomalous outbound network destinations at the package level. This adds the threat intelligence layer that static dependency auditing misses. Pair it with a policy that routes all npm installs through a vetted internal registry mirror (Verdaccio, AWS CodeArtifact, Google Artifact Registry, or equivalent), so packages are reviewed before reaching developer workstations or build servers. Together these two controls provide defense-in-depth that survives attestation bypass attacks.
Frequently Asked Questions
How do I check if my npm project installed a compromised Shai-Hulud package from the May 19 attack?
Run npm audit and compare your package-lock.json dependency list against Socket.dev's published registry of the 323 affected packages from the May 19, 2026 wave. Pay particular attention to any package in the @antv namespace published between 01:56 and 02:56 UTC on that date, plus recently updated versions of size-sensor, echarts-for-react, timeago.js, and canvas-nest.js. If a match is found, your incident response plan should include immediate secret rotation and environment forensics. The absence of npm audit warnings does not clear the environment โ malicious preinstall hooks execute silently and leave no package-level error trace.
Does the Shai-Hulud Sigstore bypass mean provenance attestation is no longer useful for supply chain security?
Provenance attestation remains a valuable layer but should no longer be treated as a final trust signal on its own. The bypass works by capturing legitimate OIDC tokens from a compromised CI environment and using them to generate real attestations through Sigstore's Fulcio and Rekor services. The attestation is technically valid โ the problem is that the build environment generating it was already under attacker control. Mitigations include scoping OIDC token permissions tightly so a compromised job cannot generate attestations for unrelated packages, layering behavioral SCA tools above provenance checks, and monitoring CI/CD publish activity for anomalous version releases. Endor Labs and Socket.dev both provide enriched provenance analysis that contextualizes attestation data alongside behavioral signals.
How can a small development team without a dedicated security function protect against npm supply chain attacks?
Three controls deliver significant protection with minimal operational overhead. First, lock your package versions using exact version pinning in package.json โ remove caret and tilde range specifiers โ and commit your lock file to version control; this prevents silent version upgrades when a malicious version is published. Second, enable Socket.dev's free CLI or GitHub's Dependabot security alerts to surface high-risk package behaviors like preinstall hooks automatically. Third, enforce two-factor authentication on all npm publisher accounts in your organization โ account compromise is the entry point for most supply chain attacks, and this single cybersecurity best practices control would have made the 'atool' account compromise significantly harder. These steps require no dedicated security headcount to implement.
Why is the Session P2P messaging network being used for malware exfiltration, and can network controls block it?
Session is a legitimate open-source encrypted messaging protocol built for privacy โ its traffic is end-to-end encrypted and routes through a decentralized network architecture, making it structurally resistant to IP-based blocking. Threat actors choose it specifically because it makes command-and-control traffic blend with legitimate application communications at the network layer, defeating traditional threat intelligence blocking approaches. More effective controls include endpoint detection and response (EDR) tools that monitor process-level network connections โ flagging a Bun or Node.js process initiating unexpected outbound connections โ and network segmentation policies that restrict build environments and developer machines from making arbitrary outbound connections to non-approved destinations. Zero-trust network architectures (where every connection must be explicitly authorized) provide the strongest data protection posture against this class of covert channel.
What incident response steps should my team take if a CI/CD pipeline job ran npm install with a compromised Shai-Hulud package?
Follow a structured incident response sequence without delay. Step one: immediately rotate every secret accessible in the affected environment โ CI/CD platform tokens, cloud provider credentials (AWS, GCP, Azure), GitHub personal access tokens, database passwords, and any API keys stored as environment variables. Step two: pull your CI/CD platform's audit logs and review for unauthorized actions during and after the compromised install โ look for unexpected package publish events, new repository secrets created, or permission changes. Step three: scan build artifacts produced after the compromised install for signs of tampering before they reach production. Step four: if evidence of lateral movement (attacker spreading to connected systems) emerges, engage an external incident response provider. Depending on what data was accessible in the affected environment, applicable data protection regulations may also require breach notification to affected parties or regulatory bodies.
Disclaimer: This article is editorial commentary for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for guidance specific to your organization's environment and risk profile.