{"name":"TEAMPCP_SHAI_HULUD_NPM_2026_05 - campaign","description":"# Executive Threat Brief — TEAMPCP_SHAI_HULUD_NPM_2026_05\n\n## Campaign Snapshot\n\nOn 19 May 2026, the threat actor TeamPCP stole npm publishing credentials for the `atool` maintainer account — which publishes Alibaba's AntV data visualization suite and a broad set of popular JavaScript utilities — and used them to inject a confirmed credential-stealing payload into 323 npm packages in two automated waves. Every compromised package executes the same payload on install: it reads CI/CD runner memory to extract secrets in plaintext, sweeps over 130 credential file paths on the host, and exfiltrates everything to an attacker-controlled server disguised as an observability endpoint. A second account, `prop`, was simultaneously compromised and used to poison six additional packages.\n\nThe attack is not theoretical. Over 2,500 GitHub repositories have already been created using GitHub tokens stolen from compromised CI environments, providing a real-time floor count on organizations whose credentials have been successfully exfiltrated. The combined weekly download volume across affected packages exceeds 16 million. No CVE has been issued and no standard vulnerability scanner will produce an alert for this campaign.\n\nAny environment — CI/CD pipeline or developer machine — that ran `npm install` after 2026-05-19T01:39:31Z and resolved one of the 323 affected packages should be treated as fully compromised until secrets are rotated and persistence artifacts are removed.\n\n---\n\n## What Is Affected\n\n### Libraries\n\n| Package | Ecosystem | Compromised Versions | Safe Version | Action |\n|---------|-----------|---------------------|--------------|--------|\n| jest-canvas-mock | npm | 2.5.3, 2.6.3, 2.7.3 | 2.5.2 | Pin to 2.5.2, rotate secrets |\n| size-sensor | npm | 1.0.4, 1.1.4, 1.2.4 | 1.0.3 | Pin to 1.0.3, rotate secrets |\n| echarts-for-react | npm | 3.0.7, 3.1.7, 3.2.7 | 3.0.6 | Pin to 3.0.6, rotate secrets |\n| timeago.js | npm | 4.1.2, 4.2.2 | 4.1.1 | Pin to 4.1.1, rotate secrets |\n| @antv/util | npm | 3.4.11, 3.5.11 | 3.4.10 | Pin to 3.4.10, rotate secrets |\n| @antv/scale | npm | 0.6.2, 0.7.2 | 0.6.1 | Pin to 0.6.1, rotate secrets |\n| jest-date-mock | npm | 1.0.11, 1.1.11, 1.2.11 | 1.0.10 | Pin to 1.0.10, rotate secrets |\n| @antv/g2 | npm | 5.5.8, 5.6.8 | 5.5.7 | Pin to 5.5.7, rotate secrets |\n| @antv/g | npm | 6.4.1, 6.5.1 | 6.4.0 | Pin to 6.4.0, rotate secrets |\n| @antv/g6 | npm | 5.2.1, 5.3.1 | 5.2.0 | Pin to 5.2.0, rotate secrets |\n| @antv/graphlib | npm | 2.1.4, 2.2.4 | 2.1.3 | Pin to 2.1.3, rotate secrets |\n| @antv/l7 | npm | 2.26.10, 2.27.10 | 2.26.9 | Pin to 2.26.9, rotate secrets |\n| 311 additional @antv/* and utility packages | npm | See campaign-details.md | Prior minor — | Pin and rotate |\n\n### Software / Infrastructure\n\n| System | Impact | Action |\n|--------|--------|--------|\n| GitHub Actions runners | Runner.Worker memory scraped; every masked secret extracted in plaintext | Rotate all runner secrets immediately |\n| CI/CD pipelines (all platforms) | Environment variable theft; daemonized exfiltration completes after install | Purge caches; rotate all CI secrets |\n| Developer workstations | 130+ credential file paths swept; crypto wallets at risk; IDE persistence dropped | Full credential rotation; wallet transfer |\n| Private npm registry caches | Pull-through caches may serve poisoned versions | Rollback cache to pre-2026-05-19T01:39:31Z snapshot |\n\n---\n\n## Business Impact\n\n- **Active credential exfiltration confirmed.** Over 2,500 GitHub repositories created with stolen tokens. Any organization whose token appears in those repositories has confirmed credential loss.\n- **CI/CD pipeline integrity cannot be assumed** for any build that ran after 01:39:31Z on 19 May 2026 and resolved an affected package. Pipeline attestation and signed artifacts from that window should be treated as untrustworthy.\n- **Developer machines are exposed beyond CI.** The payload harvests AWS, GCP, Azure, Kubernetes, HashiCorp Vault, SSH keys, npm tokens, and cryptocurrency wallet files on any machine where a developer ran `npm install` locally.\n- **Persistence survives package rollback.** Backdoors injected into `.claude/settings.json`, `.vscode/tasks.json`, and `.github/workflows/codeql.yml` will continue to re-execute the payload on every IDE session open and CI push until explicitly removed.\n- **Supply chain propagation risk.** If any package your organization publishes was built in a compromised CI environment, that published artifact may itself be compromised and serve as a distribution vector to your downstream users.\n- **No CVE signal.** Security teams relying on CVE-based scanner alerts received no notification of this campaign. Detection requires behavioral monitoring, timestamp-based IOC matching, or network egress telemetry.\n\n---\n\n## Immediate Actions (Next 24–72 Hours)\n\n| # | Action | Owner | Deadline |\n|---|--------|-------|----------|\n| 1 | Rotate ALL CI/CD secrets: GitHub tokens, AWS/GCP/Azure credentials, npm automation tokens, Vault tokens, Kubernetes service account tokens | Security / DevOps | Immediate (0–4h) |\n| 2 | Block `t[.]m-kosche[.]com` at DNS, WAF, and network egress for all CI runner environments | Network / DevOps | Immediate (0–4h) |\n| 3 | Scan all repository lockfiles (`package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`) for compromised package versions using `upload_findings.py` | AppSec / DevOps | 0–8h |\n| 4 | Purge all CI artifact caches, Docker layer caches, and npm caches built after 2026-05-19T01:39:31Z | DevOps | 0–8h |\n| 5 | Check and remove persistence artifacts in every repository: `.claude/settings.json` (SessionStart hook), `.vscode/tasks.json` (folderOpen task), `.github/workflows/codeql.yml` (injected workflow) | AppSec / Dev | 0–12h |\n| 6 | Add exact version pins for all affected packages to `package.json` `overrides` / `resolutions` | Dev Leads | 0–12h |\n| 7 | Audit GitHub repositories for unauthorized commits, branches, or workflow modifications in the past 24h | Security | 0–12h |\n| 8 | Search GitHub for dead-drop repos: `github.com/search?q=niaga+og+ew+ereh+%3Aduluh-iahs&type=repositories` — if any are linked to your tokens, escalate immediately | Security | 0–8h |\n| 9 | Any developer machine with crypto wallet files (`~/.bitcoin/wallet.dat`, `~/.ethereum/keystore/*`) that ran an affected install: transfer funds to new wallets immediately | Affected developers | 0–4h |\n| 10 | For any package your organization published from a compromised CI environment: assess whether the published artifact is poisoned and coordinate disclosure with downstream users | AppSec / Engineering | 24–72h |\n\n---\n\n## Key IOCs (Fast Reference)\n\n| Type | Value | Context |\n|------|-------|---------|\n| Domain | t[.]m-kosche[.]com | Primary C2 server; fake OTel endpoint at `/api/public/otel/v1/traces` |\n| Domain | api[.]github[.]com | GitHub API dead-drop channel (spoofed UA: `python-requests/2.31.0`) |\n| Repository | antvis/G2 | GitHub dead-drop target; encrypted data committed to branches |\n| Commit fingerprint | `IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner` | Appears in all dead-drop commit messages |\n| Repo description | `niagA oG eW ereH :duluH-iahS` | Reversed: \"Shai-Hulud: Here We Go Again\" — present in all 2,500+ stolen-token repos |\n| Git reference | `github:antvis/G2#7cb42f57561c321ecb09b4552802ae0ac55b3a7a` | Poisoned optional dependency commit |\n| npm account | atool | Compromised; 318 packages |\n| npm account | prop | Compromised; 6 packages |\n| Persistence | `.claude/settings.json` | SessionStart hook re-executes malware |\n| Persistence | `.vscode/tasks.json` | folderOpen task re-executes malware |\n| Persistence | `.github/workflows/codeql.yml` | Injected workflow exfiltrates repo secrets on push |\n| Timestamp | `2026-05-19T01:39:31Z` | Wave 1 publish start — all versions before this timestamp are clean |\n\n---\n\n## Risk Summary\n\n| Dimension | Rating | Rationale |\n|-----------|--------|-----------|\n| Exploitability | Critical | No user interaction beyond `npm install`; payload fires on install hook; Bun runtime auto-installed if absent |\n| Blast Radius | Critical | 323 packages, 16M+ weekly downloads, AntV ecosystem, jest test utilities, React tooling — covers majority of JavaScript CI pipelines |\n| Persistence Risk | Critical | Four independent persistence mechanisms survive package rollback; IDE session hooks and CI workflow injection continue exfiltration indefinitely |\n| Remediation Complexity | High | Requires secret rotation across all cloud providers, lockfile auditing across all repositories, cache purges, and manual persistence artifact removal per workstation |\n| Business Exposure | Critical | Confirmed active exfiltration; 2,500+ repos already created with stolen tokens; downstream package propagation risk; no CVE signal means standard compliance controls provide no coverage |\n"}