According to analysis by SafeDep, the account in question, atool (i@hust.cc), which publishes the timeago.js JavaScript library, had rights to a large catalog of packages, including popular tools such as size-sensor (4.2 million downloads per month), echarts-for-react (3.8 million), @antv/scale (2.2 million), and timeago.js (1.15 million).
This privilege level allowed the attacker to publish at least 637 malicious versions across 317 different npm packages in a single 22-minute burst. This resulted in the compromise of a big chunk of Alibaba’s AntV namespace, a growing platform across Asia, the US, and Europe used to build dashboards, user interfaces, and interactive applications.
Attacks on the npm supply chain this year plot a challenging trend, said Aikido Security in its analysis. “This is the third major wave we have tracked. It went from a handful of SAP packages in April, to 169 packages in the TanStack wave, to a much larger set of packages now. Each wave has been faster and broader than the last.”
“Here We Go Again”
Anyone unlucky enough to be infected by one of the malicious packages will find themselves on the receiving end of the potent Mini-Shai-Hulud worm, the source code for which was recently briefly released to other criminals on GitHub.
