@antv/l7 @2.26.10

Part of the **Mini Shai-Hulud** supply chain attack campaign in which a threat actor compromised the npm account `atool` and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a `preinstall` hook that executes a 498KB obfuscated Bun script, using the GitHub API as a covert exfiltration channel. Credentials are committed to attacker-controlled repositories following Dune-themed naming patterns (e.g., `harkonnen-melange-742`). Stolen data includes AWS keys, GitHub PATs, npm tokens, GCP service accounts, Azure credentials, Kubernetes service account tokens, SSH keys, Docker auth configs, database connection strings, Stripe keys, and Slack tokens. Malicious versions also establish persistence via CI/CD workflow injection (a GitHub Actions workflow named `Run Copilot` dumps all secrets via `toJSON(secrets)`), AI agent session hooks, and a system daemon named `kitty-monitor`. This specific package (`@antv/l7`) was modified to include a malicious `preinstall` hook executing the obfuscated Bun payload. --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ec0d1ac3282b34bc6e8253b2d70891043fbbd2189c49a5ae153f91ded5d1c820) The package @antv/l7 was found to contain malicious code. ## Source: google-open-source-security (847ef6b381d410bf176f7414a6f0fbbcf46a5f39b6d9011e126b279bd2d781df) This package was compromised as part of the ongoing "Mini Shai-Hulud is back" worm by the TeamPCP threat actor. The package will steal credentials and then propogate it to every package it has access to. The package also attempts to remain persistent.

Script: bun run index.js

Dependency '@antv/setup' in `optionalDependencies` points to 'github:antvis/G2#1916faa365f2788b6e193514872d51a242876569' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.

This version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

while(!![]) loop is a signature of javascript-obfuscator output > 1 | const _0x5d6bea=_0x1169;(function(_0x3187cf,_0x895a8e){const _0x5f2282={_0x2bb395:0x3eb,_0x56f5b5:0x6c1,_0x24d254:0x85d,

Hex-prefixed function names (_0x...) are generated by javascript-obfuscator > 1 | const _0x5d6bea=_0x1169;(function(_0x3187cf,_0x895a8e){const _0x5f2282={_0x2bb395:0x3eb,_0x56f5b5:0x6c1,_0x24d254:0x85d,

Hex-prefixed function names (_0x...) are generated by javascript-obfuscator > 1 | const _0x5d6bea=_0x1169;(function(_0x3187cf,_0x895a8e){const _0x5f2282={_0x2bb395:0x3eb,_0x56f5b5:0x6c1,_0x24d254:0x85d,

Spreading entire process.env into an object — may capture all secrets > 1 | const _0x5d6bea=_0x1169;(function(_0x3187cf,_0x895a8e){const _0x5f2282={_0x2bb395:0x3eb,_0x56f5b5:0x6c1,_0x24d254:0x85d,

Hex-prefixed function names (_0x...) are generated by javascript-obfuscator > 1 | const _0x5d6bea=_0x1169;(function(_0x3187cf,_0x895a8e){const _0x5f2282={_0x2bb395:0x3eb,_0x56f5b5:0x6c1,_0x24d254:0x85d,

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.