The maintainer of a large number of packages was compromised, injecting malicious dependencies into the supply chain of multiple packages each of which exceeds 1 million weekly downloads including the @antv/* namespace, timeago.js, and size-sensor being the largest three in terms of broad application usage.
As with past instances, the window of exposure led other packages to be compromised and has extended the spread to many hundreds of npm ecosystem packages.
Security Advisories
Semgrep deployed supply chain rules to look for the malicious dependencies in any packages that are being scanned. As there is a large number of packages impacted, we’re not itemizing them in the blog post. Instead, visit the advisories page to find the full list of packages and versions.
https://semgrep.dev/orgs/semgrep/advisories
We will extend the advisory to new packages if the worm continues to spread to other maintainers. Trigger a new scan if you haven't recently on your projects if you are concerned about impact from one of these dependencies.
timeago.js
This package is commonly used in user interfaces to display relative times, such as the worm was introduced into the timeago.js package “three hours ago”. This package is a transitive dependency of libraries like react-timeago for framework specific utilization.
You can find this package and versions among others compromised during this campaign from this advisory:
https://semgrep.dev/orgs/semgrep/advisories/ssc-df594978-4672-4f3c-b303-d5c9413e4029
In the Semgrep web application, we display relative times such as with the advisories display itself. We don't use this library, but we use Semgrep to check our Supply Chain internally as well to be sure.
There are other packages that can solve this type of problem if you are seeking alternatives to timeago, including javascript-time-ago and moment.js. These packages may not be as small as the timeago.js micro-library but benefits may include offering important features like i18n (internationalization) that are often important for global users.
@antv/* and echarts-for-react
The @antv libraries are part of a collection of composable libraries used to build charts, diagrams, maps, graphs, and other data heavy visualization user interfaces. This is what makes the ecosystem popular and helps solve common enterprise and internal tooling needs for observability into business and operational dashboards that are rendered interactively in a browser.
You can find this package and versions that were impacted among other compromised in this campaign from this advisory:
https://semgrep.dev/orgs/semgrep/advisories/ssc-46e92240-45e7-4fb0-bce1-959735b10e93
Compared to low level libraries like D3.js, AntV offers an improved developer experience for common tasks. Common alternatives to AntV include libraries like Apache ECharts which for use in React projects was also compromised. Other popular libraries to solve these types of problems include Recharts, Nivo, and visx.
As with past instances of Mini Shai-Hulud, internal applications should not be excluded from investigation simply because they are not public-facing. That becomes a false assumption because the malware associated with this campaign executes during package installation, meaning development environments, CI systems, and internal tooling can all become exposure points simply by resolving and installing a compromised dependency.
size-sensor
This package is commonly used for front-end user interfaces to detect changes when calculating the height and width of visual elements in the DOM. This is important for responsive web design across web and mobile-web applications, especially with data-intensive visualizations where user interfaces need to recalculate rendering when containers change sizes.
Packages like this can often be found deeply embedded as transitive dependencies in visualization and analytics tooling, meaning some applications may be including it indirectly.
You can find this package and versions that were impacted among other compromised in this campaign from this advisory:
https://semgrep.dev/orgs/semgrep/advisories/ssc-06c9952a-dea1-4d40-bfb0-4f6818466a3c
Modern alternatives to size-sensor include native browser support with ResizeObserver, which is now widely supported across browsers and often eliminates the need for additional resize detection dependencies entirely. React, Vue, and some other visualization systems now also include direct dependencies for this type of behavior.
Remediation Advice for Dependency Worms
We've shared on this blog before and can assist customers with recommendations, if you haven't already, make sure to introduce cool down periods for dependencies to help stop the spread.
Immediately rotate credentials. This malware is very broad and includes dev-related credentials e.g. cloud credentials, SSH keys and GitHub Actions, but also more general credentials such as Claude, Salesforce, MS365, and more. Note that if your affected device is a Mac environment there are extra credentials that are exfiltrated. The list of credentials to check has not been materially changed from previous appearances of this worm.
.jpg)
