Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account
Summary
A new software supply chain attack campaign, dubbed Mini Shai-Hulud, has compromised npm packages within the @antv ecosystem. The attackers gained access through a compromised maintainer account and injected malicious code into popular packages like echarts-for-react.
IFF Assessment
This indicates a successful supply chain attack, which is bad news for defenders as it compromises trusted software components.
Defender Context
This incident highlights the persistent threat of supply chain attacks targeting popular open-source repositories like npm. Defenders should maintain vigilance over the integrity of their software dependencies, implement robust scanning and vetting processes for third-party code, and consider strict control over which packages are integrated into production environments.