Compromised atool account injected Bun-based credential harvester into 317 packages (size-sensor, echarts-for-react, @antv scope) via preinstall hooks and orphan GitHub commits, exfiltrating AWS/GCP/Vault/GitHub tokens through dual channels and installing persistent C2 backdoors.
May 29, 2026
Summary
Semver ranges auto-resolve to malicious versions; the payload hijacks CI/CD pipelines (npm OIDC token exchange, Sigstore signing with stolen identities), compromises AI agent sessions (Claude Code, VS Code), and establishes persistent backdoors that poll GitHub for remote commands. Any developer with these packages in their dependency tree and unvetted lockfile updates is exposed.
Why it matters
Semver ranges auto-resolve to malicious versions; the payload hijacks CI/CD pipelines (npm OIDC token exchange, Sigstore signing with stolen identities), compromises AI agent sessions (Claude Code, VS Code), and establishes persistent backdoors that poll GitHub for remote commands. Any developer with these packages in their dependency tree and unvetted lockfile updates is exposed.
Implementation verdict
Immediate: pin exact versions in lockfiles, audit for preinstall script execution during install, scan for IoCs (kitty-monitor systemd service, .claude/settings.json SessionStart hooks, codeql.yml injection with 'Run Copilot' name). Medium-term: deploy Package Manager Guard (pmg) as install proxy with dependency cooldown to block packages published in burst windows. Check git history for imposter commits (antvis/G2 orphan commits with forged authorship). If any atool package was auto-updated between 2026-05-19 01:39-02:06 UTC, treat the machine as fully compromised: rotate all secrets, inspect CI logs for gh-token-monitor polling, search GitHub for repos named {fremen,mentat}-{sandworm,ornithopter}-{0-999}.
Sources
Dev Signal
Get briefs like this in your inbox — free, every weekday.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.