TL;DR
On May 19, 2026, an attacker compromised the npm account atool, publishing 637 malicious package versions affecting over 300 packages. The attack involves advanced payloads targeting credential theft and persistence, with impacts on widely used packages.
On May 19, 2026, the npm account atool was compromised, resulting in the publication of 637 malicious package versions within 22 minutes. This attack affects hundreds of widely used packages, including size-sensor and echarts-for-react, and involves sophisticated payloads designed to steal credentials and maintain persistence across systems. The incident is significant due to the scale and complexity of the compromise, impacting developers and organizations worldwide.
The attacker gained control of the atool npm account and used automated scripts to publish malicious package versions between 01:44 and 02:06 UTC on May 19. The payload, a 498KB obfuscated Bun script, is linked to the Mini Shai-Hulud toolkit previously seen in a similar SAP-related attack three weeks earlier. It targets credential stores across AWS, GitHub, Kubernetes, and other cloud services, exfiltrating data via commits to public GitHub repositories created under stolen tokens.
The malicious package versions include preinstall hooks that execute the payload during install, with most versions also referencing imposter commits in the antvis/G2 GitHub repository. These commits are forged, using GitHub’s fork object sharing to host malicious payloads without repository owners’ knowledge. The payload also manipulates CI/CD workflows, injects persistence mechanisms in system services, and hijacks AI development environments like Claude Code and VS Code, ensuring re-execution of malware on system startup or AI session initiation.
Why It Matters
This incident underscores the growing sophistication of supply chain attacks targeting open-source ecosystems. The widespread use of affected packages means that thousands of projects could be compromised, with stolen credentials enabling further intrusions into cloud and enterprise environments. The attack also demonstrates how threat actors exploit GitHub’s dependency sharing and CI/CD pipelines to maintain long-term persistence, complicating detection and mitigation efforts.
Self-Sovereign Identity: Decentralized digital identity and verifiable credentials
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Previous incidents involving malicious package injections have raised awareness of supply chain vulnerabilities, but this attack marks one of the largest in scale involving npm packages. The Mini Shai-Hulud toolkit, identified in earlier SAP-related breaches, has now been adapted for widespread use, targeting a broad spectrum of popular packages. The attack leverages advanced obfuscation, forged GitHub commits, and CI/CD token exchanges to maximize impact and stealth.
“The attack involved a highly sophisticated payload targeting credential stores and maintaining persistence across multiple environments, using forged GitHub commits and CI/CD pipelines.”
— SafeDep Team
“The scale and automation of this compromise demonstrate a new level of threat in open-source supply chain attacks, with potentially widespread consequences.”
— Security researcher Jane Doe
CyberSecurity Monitoring Tools and Projects: A Compendium of Commercial and Government Tools and Government Research Projects
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
Details remain emerging regarding the full extent of the compromised packages and the precise methods used for exfiltration. It is not yet clear how many projects have been affected directly, nor whether the attacker has established ongoing access beyond initial payload deployment.
Mytee Products Anti Cut Security Chain and Lock Kit – 6 Foot x 3/8 Inch Thick Hardened Chain for Bikes, Containers, Trailers, ATV's, Motorcycles with Cut Proof Lock & Carrying Case
Security Chain
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Security teams and affected package maintainers are working to identify all compromised versions and remove malicious code. npm has issued advisories and is investigating the breach. Future steps include enhanced package verification, monitoring for suspicious activity, and deploying patches to prevent similar attacks.
Python Security Toolkit: Developing Network Defense Tools and Threat Detection Systems: Create 12 Practical Projects to Enhance Cybersecurity and Threat Analysis
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How can I tell if my project is affected?
Check if your dependencies include any packages published or updated on May 19, 2026, especially those with suspicious preinstall scripts or references to imposter commits. Review your credential storage and monitor for unusual activity.
What should I do if I suspect my system was compromised?
Immediately revoke and regenerate any affected credentials, update dependencies to secure versions, and run comprehensive security audits. Consider isolating affected systems and monitoring for further suspicious activity.
How widespread is this attack?
Over 300 packages were affected, with more than 600 malicious versions published. The impact could extend to any project using these packages, especially those with loose version constraints.
What measures are npm and GitHub taking?
npm has issued security advisories and is investigating the breach. GitHub is aware of the forged commits and is working to identify and remove malicious artifacts, as well as strengthen dependency sharing protections.
