TL;DR
An attacker using the compromised npm account atool published 637 malicious package versions across 317 packages in a 22-minute window. The payload harvests credentials and maintains persistence across projects and CI environments. The attack impacts widely used packages and exposes significant security risks.
On May 19, 2026, the npm account atool ([email protected]) was compromised, leading to the publication of 637 malicious package versions across 317 packages within 22 minutes. This attack affects several widely used packages, including size-sensor and echarts-for-react, and employs sophisticated payloads designed to harvest credentials and establish persistent access.
The attacker gained control of the atool npm account and used it to publish malicious versions of multiple packages, many with millions of downloads monthly. The payload is a 498KB obfuscated Bun script that matches the Mini Shai-Hulud toolkit used in a prior SAP-related compromise, indicating a highly coordinated attack.
The malicious code harvests AWS credentials (including environment variables, EC2 metadata, ECS container credentials), GitHub personal access tokens, npm tokens, SSH keys, and other sensitive data. It exfiltrates this data by creating public GitHub repositories under the stolen tokens’ accounts, embedding the stolen information in commit messages and files.
Beyond credential theft, the payload establishes persistence through CI/CD pipelines, injecting code into GitHub workflows, hijacking AI development environments like Claude and Codex, and installing system-level backdoors such as a GitHub dead-drop C2 server called kitty-monitor. It also attempts Docker container escape and propagates infection to other local Node.js projects.
Of particular concern is the method of hosting imposter commits in a fork-like manner, exploiting GitHub’s sharing of fork objects to distribute the payload without requiring write access to target repositories. The attack leverages GitHub’s dependency resolution to fetch and execute malicious code based on SHA references.
Why It Matters
This incident underscores a significant security vulnerability in the npm ecosystem, especially given the widespread use of affected packages like echarts-for-react and size-sensor. The attack’s ability to harvest multiple layers of credentials and maintain persistence across development environments poses a serious threat to organizations relying on these packages for critical applications.
Moreover, the attack demonstrates a high level of sophistication, employing multiple covert channels such as GitHub repositories, CI/CD pipelines, and AI environment hooks. The potential for stolen credentials to be used for further intrusions into cloud services, corporate networks, and development pipelines makes this a critical security incident.
For developers and organizations, this incident highlights the importance of monitoring package integrity, verifying dependencies, and securing CI/CD pipelines against such sophisticated supply chain attacks.
Atlancube Offline Password Keeper – Secure Bluetooth Drive with Autofill, Store 1,000 Credentials, Military-Grade Encryption for Safe Password Management (Black)
Auto-Fill Feature: Say goodbye to the hassle of manually entering passwords! PasswordPocket automatically fills in your credentials with…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
This attack follows a pattern of recent supply chain compromises, notably the SAP incident three weeks earlier involving similar tools and techniques. The Mini Shai-Hulud toolkit, identified in this attack, has been linked to prior credential harvesting campaigns targeting enterprise environments. The compromised npm account atool was active for several years before the breach, and the packages affected are among the most downloaded in the npm registry, amplifying the potential impact.
Previous incidents have shown that attackers exploit dependency resolution mechanisms and package sharing features to distribute malicious payloads stealthily. The use of obfuscation, orphan commits, and forged authorship further complicates detection efforts.
“The attack demonstrates a highly coordinated effort to harvest credentials and establish persistent backdoors across multiple platforms and environments.”
— SafeDep Team
“The use of orphan commits and forged authorship in GitHub repositories is a clever tactic that exploits platform sharing mechanisms to distribute malicious payloads undetected.”
— Cybersecurity analyst
secure code repository backup
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear how the attacker initially gained control of the atool npm account, whether through credential theft, social engineering, or other means. The full extent of compromised packages and affected organizations is still being assessed, and ongoing investigations aim to determine if additional malicious activity is ongoing.
NetAlly CyberScope Air Wi-Fi Edge Network Vulnerability Scanner (Wireless Only Version). Validate Edge Infrastructure Hardening, Hunt Down Rogue Devices, Investigate Suspect RF Interference
Portable, handheld form factor – Take it anywhere for on-site security testing. This field-ready tool gives you visibility…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Security researchers and npm are actively investigating the scope of the breach, with npm likely to implement enhanced package signing and monitoring measures. Organizations using affected packages should review their dependencies, revoke compromised tokens, and monitor for unusual activity in their CI/CD pipelines and cloud environments. Further updates are expected as more details emerge about the attacker’s methods and additional compromised assets.
PowerShell Automation and Scripting for Cybersecurity: Build Security Tools, Automate Threat Detection, and Strengthen Defense Systems with PowerShell
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How did the attacker compromise the npm account?
It is not yet confirmed how the attacker gained access. The investigation is ongoing, but initial evidence suggests credential theft or social engineering may have played a role.
Which packages are affected and what is the risk?
Over 300 packages, including popular ones like size-sensor and echarts-for-react, were compromised. The malicious versions contain payloads that harvest credentials and establish persistent backdoors, posing a significant security risk to users of these packages.
What should affected organizations do now?
Organizations should revoke compromised tokens, update dependencies to secure versions if available, monitor their CI/CD pipelines, and review cloud credentials and secrets for potential theft.
Will npm implement new security measures?
Yes, npm and security researchers are expected to enhance package signing, improve dependency verification, and increase monitoring to prevent similar incidents.
