Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

In this article 1. Attack chain overview 1. Technical analysis 2. How GitHub took action to prevent further harm 2. Mitigation and protection guidance 1. Microsoft Defender XDR Detections 2. Microsoft Defender XDR Threat analytics 3. Advanced hunting 4. Indicators of Compromise IOC 3. References ...

MAL-2026-4409 Malicious code in @nutui/nutui-react-taro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 71ad42f4bfd953311c2d69f622cc6e8d5193a8852ac0bbc9ea0781ac6b651390 The package's postinstall.js invokes execSync'npm-usage-stats disable' and execSync'npm-usage-stats', stdio: 'inherit' . The npm-usage-stats bin is...

Malicious code in react-tracked-tony (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eeb24dfdd4a970dc44c017056c2a39bed6aa5973a7ec7e94b20c70d90114726c react-tracked-tony impersonates the popular react-tracked package: package.json sets name: react-tracked-tony, author: Daishi Kato, and homepage:...

Malicious code in @vtmn-play/react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e407217116bd1ae3eb89ce8631eae8299f5acd924409d33f141ebddc4489145 Package name @vtmn-play/react mimics Decathlon's Vitamin design system @vtmn/react and is published at version 99.9.1, the canonical...

MAL-2026-4464 Malicious code in @vtmn-play/react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e407217116bd1ae3eb89ce8631eae8299f5acd924409d33f141ebddc4489145 Package name @vtmn-play/react mimics Decathlon's Vitamin design system @vtmn/react and is published at version 99.9.1, the canonical...

CVE-2026-30691

Cross-Site Scripting XSS vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode...

CVE-2026-30691

Cross-Site Scripting XSS vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode...

react-doc-viewer 跨站脚本漏洞

react-doc-viewer is a React documentation viewer component developed by Damian Cyntler. Version 1.17.1 of react-doc-viewer contains a cross-site scripting vulnerability. This vulnerability arises from the TXTRenderer component failing to clean up file content and explicitly converting raw data in...

CVE-2026-30691

CVE-2026-30691 affects @cyntler/react-doc-viewer v1.17.1. TXTRenderer improperly sanitizes .txt content and casts raw data as a ReactNode, enabling Cross-Site Scripting (XSS) via crafted files. Impact: remote attacker can execute arbitrary JavaScript. No remediation details provided in the docume...

PT-2026-42214

Name of the Vulnerable Software and Affected Versions @cyntler/react-doc-viewer version 1.17.1 Description A Cross-Site Scripting XSS issue exists where remote attackers can execute arbitrary JavaScript by using a crafted .txt file. This occurs because the TXTRenderer component does not sanitize...

CVE-2026-30691

Cross-Site Scripting XSS vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode...

Malicious code in alya-baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 473103f2220a0215abf49be7e46ec1748052935ce188e0eee6ded08af7b47cf1 alya-baileys is a fork of the Baileys WhatsApp library that adds a hidden, remotely-controlled action channel against the installer's authenticated...

MAL-2026-4478 Malicious code in alya-baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 473103f2220a0215abf49be7e46ec1748052935ce188e0eee6ded08af7b47cf1 alya-baileys is a fork of the Baileys WhatsApp library that adds a hidden, remotely-controlled action channel against the installer's authenticated...

Exploit for Deserialization of Untrusted Data in Facebook React

CVE-2025-55182-React2Shell xpl0ited by infrar3dhttps://git...

Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave. "The attack affects packages tied to the npm maintainer account atool, includin...

Malicious code in react-adsense (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

link-chart (>=0.0.0 <=0.1.12) potentially affected by unknown CVE via @antv/ava-react (=3.3.2)

@antv/ava-react NPM version =3.3.2 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/ava-react and may be impacted: - link-chart =0.0.0, =0.1.12 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3854...

@widget-js/mindmap (>=0.0.1 <=0.0.5), gulf_web_scs (>=1.0.0 <=1.0.5) potentially affected by unknown CVE via @antv/x6-react-shape (=3.0.1)

@antv/x6-react-shape NPM version =3.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/x6-react-shape and may be impacted: - @widget-js/mindmap =0.0.1, =1.0.0, =1.0.5 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4114...

MAL-2026-3885 Malicious code in @antv/f-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/react-g (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...