malware npm

@antv/gi-sdk-app

discovered 2026-05-19

@antv/gi-sdk-app is identified in the SafeDep analysis "Mini Shai-Hulud Strikes Again: 317 npm Packages Compromised". A compromised npm maintainer account published 637 malicious versions across 317 packages including size-sensor, echarts-for-react, timeago.js, and hundreds of @antv scoped packages, affecting 15M+ monthly downloads.

more…

Threat types

credential_stealer

Malicious versions

1.3.10
1.4.10

Campaigns

Mini Shai-Huludattributed-to

Indicators

domain t.m-kosche.comcommunicates-with
ipv4 169.254.169.254communicates-with
ipv4 169.254.170.2communicates-with
sha256 a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1cindicates
sha1 1916faa365f2788b6e193514872d51a242876569indicates
sha1 7cb42f57561c321ecb09b4552802ae0ac55b3a7aindicates
sha1 dc3d62a2181beb9f326952a2d212900c94f2e13dindicates
sha1 de0fac2e4500dabe0009e67214ff5f5447ce83ddindicates
sha1 bbbca2ddaa5d8feaa63e36b76fdaad77386f024findicates
email i@hust.ccexfiltrates-to
email alexzjt@users.noreply.github.comexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1528 Steal Application Access Tokenuses
ttp T1105 Ingress Tool Transferuses
ttp T1102 Web Serviceuses

Read the full analysis →