Embedded Malicious Code Affecting @antv/g-webgpu-unitchart package, versions =0.7.1=0.6.1

Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the attacker to publish over 600 tampered package versions to npm, primarily targeting the @antv ecosystem, along with other widely used packages like echarts-for-react, size-sensor, and jest-canvas-mock.

This supply chain attack is notable for successfully forging valid Sigstore provenance badges, meaning the malicious packages appear legitimate to standard provenance-verification tools. The attackers introduced the malware using a "phantom commit dropper," injecting an anomalous @antv/setup optional dependency that points directly to a malicious GitHub commit.

The heavily obfuscated payload is designed to execute during the package installation phase. It scans developer workstations and CI/CD pipelines to harvest high-value secrets, including AWS credentials, GitHub tokens, npm tokens, Vault tokens, and Kubernetes service-account material. The stolen data is compressed, encrypted, and exfiltrated to an external server. If the primary exfiltration route fails, the malware falls back on abusing stolen GitHub tokens to create Dune-themed repositories under the victim's account to stash the stolen data. The payload also contains worm capabilities, using stolen npm tokens to modify and republish further packages.

• OpenSourceMalware Report
• Snyk Blog Post
• Socket Blog Post