Dev Signal← Briefs
supply-chain-attackcredential-harvestingnpm-securityci-cd-compromisepersistence

npm account atool publishes 637 malicious packages

Compromised atool account injected Bun-based credential harvester into 317 packages (size-sensor, echarts-for-react, @antv scope) via preinstall hooks and orphan GitHub commits, exfiltrating AWS/GCP/Vault/GitHub tokens through dual channels and installing persistent C2 backdoors.

May 29, 2026

Summary

Semver ranges auto-resolve to malicious versions; the payload hijacks CI/CD pipelines (npm OIDC token exchange, Sigstore signing with stolen identities), compromises AI agent sessions (Claude Code, VS Code), and establishes persistent backdoors that poll GitHub for remote commands. Any developer with these packages in their dependency tree and unvetted lockfile updates is exposed.

Why it matters

Semver ranges auto-resolve to malicious versions; the payload hijacks CI/CD pipelines (npm OIDC token exchange, Sigstore signing with stolen identities), compromises AI agent sessions (Claude Code, VS Code), and establishes persistent backdoors that poll GitHub for remote commands. Any developer with these packages in their dependency tree and unvetted lockfile updates is exposed.

Implementation verdict

Immediate: pin exact versions in lockfiles, audit for preinstall script execution during install, scan for IoCs (kitty-monitor systemd service, .claude/settings.json SessionStart hooks, codeql.yml injection with 'Run Copilot' name). Medium-term: deploy Package Manager Guard (pmg) as install proxy with dependency cooldown to block packages published in burst windows. Check git history for imposter commits (antvis/G2 orphan commits with forged authorship). If any atool package was auto-updated between 2026-05-19 01:39-02:06 UTC, treat the machine as fully compromised: rotate all secrets, inspect CI logs for gh-token-monitor polling, search GitHub for repos named {fremen,mentat}-{sandworm,ornithopter}-{0-999}.

Sources

  1. 1.The npm account atool ([email protected]) was compromised on May 19, 2026. The attacker published 637 malicious versions across 317 packages in a 22-minute automated burst.
  2. 2.Affected packages include size-sensor (4.2M downloads/month), echarts-for-react (3.8M), @antv/scale (2.2M), timeago.js (1.15M)
  3. 3.The payload is a 498KB obfuscated Bun script that matches the Mini Shai-Hulud toolkit used in the SAP compromise three weeks earlier
  4. 4.It harvests credentials across the full AWS chain (env vars, config files, EC2 IMDS, ECS container metadata, Secrets Manager), Kubernetes service account tokens, HashiCorp Vault, GitHub PATs, npm tokens, SSH keys, and local password manager vaults
  5. 5.Any package published by atool ([email protected]) on 2026-05-19 between 01:44 and 02:06 UTC
  6. 6.preinstall script: bun run index.js
  7. 7.Payload SHA256: a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c

Dev Signal

Get briefs like this in your inbox — free, 3x a week.

100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.

Read the full issue →All briefs