How to Defend Against npm Supply Chain Attacks: Lessons from the AntV Incident

Introduction

In May 2023, the npm ecosystem experienced a rapid and widespread supply chain attack targeting the AntV data visualization tool, affecting over 300 packages and stealing credentials from hundreds of developers. This guide walks you through the attack's mechanics, how to assess your risk, and step-by-step actions to secure your npm workflows. Using real data from the incident—including the compromised atool account, the Mini-Shai-Hulud worm, and TeamPCP's tactics—you'll learn how to prevent a similar breach in your organization.

What You Need

• An npm account (maintainer or publisher access)
• Access to your package’s package.json and publish history
• A list of all packages under your control or namespace
• Familiarity with GitHub Actions, CI/CD pipelines, and token management
• A code scanner (e.g., SafeDep, Aikido Security) or manual auditing tools
• Write access to your repository to update secrets and tokens

Step-by-Step Guide

Step 1: Understand the Attack Vector – Compromised Maintainer Credentials

The AntV attack succeeded because the atool account (i@hust.cc), which maintained timeago.js and several other packages, had its credentials stolen. This gave the attacker publish rights to a large catalog, including size-sensor (4.2M downloads/month), echarts-for-react (3.8M), @antv/scale (2.2M), and timeago.js (1.15M).

• Identify all accounts with publish permissions on your packages.
• Check if any accounts have access to multiple high-impact packages—this is a single point of failure.
• Review your npm organization's member list and remove stale or unused accounts.

Step 2: Detect Suspicious Publishing Activity

Attackers published 637 malicious versions across 317 packages in just 22 minutes. This speed is a red flag. Enable alerts for:

• Multiple package versions published in rapid succession from the same account.
• Versions with irregular version numbers or sudden jumps (e.g., from 1.0.0 to 1.0.0-malicious).
• Unusual commit messages or release notes.

Use npm’s audit logs or third-party monitoring services to catch these patterns.

Step 3: Scan All Affected Packages for Known Malware

The Mini-Shai-Hulud worm was designed to steal:

• npm and GitHub tokens
• Credentials from 130 file paths (cloud platforms, Kubernetes, Docker, Hashicorp, SSH keys, Bitcoin wallets)
• Claude Code’s settings.json (to persist with LLM privileges)

Immediately run a security scanner (e.g., npm audit with extended checks, or use SafeDep) on all packages that were published around May 19. Look for:

• Presence of ~/.local/share/kitty/cat.py (Python backdoor, though reportedly inactive).
• Attempts to write to settings.json of AI coding tools.
• Connections to public GitHub repositories with Dune-themed descriptions (backwards text “niagA oG eW ereH :duluH-iahS”).

Step 4: Rotate All Exposed Secrets Immediately

If any of your packages were compromised, assume all tokens and credentials that existed on the build machine or CI/CD environment are now public. Follow these actions:

1. Revoke all npm tokens and issue new ones with minimal scopes.
2. Rotate GitHub personal access tokens, OAuth tokens, and deploy keys.
3. Regenerate passwords for any cloud provider, database, or vault mentioned in the credential paths.
4. Update any stored secrets in GitHub Actions, GitLab CI, or similar.
5. Check for unauthorized public repositories containing your data (the attackers used Dune-themed repos to store exfiltrated data).

Step 5: Strengthen Access Controls for npm Accounts

To prevent future credential theft from having such widespread impact:

• Enable two-factor authentication (2FA) on all npm accounts.
• Use least privilege principles: only grant publish rights to accounts that need them, and avoid giving shared accounts access to multiple high-value packages.
• Implement publish approvals via npm organizations (require a second person to approve new versions).
• Separate work and personal npm accounts to limit cross-contamination.

Step 6: Harden CI/CD Pipelines to Resist Similar Attacks

The attackers used stolen CI/CD tokens to store data in public repos. Even if the malware is removed, the backdoor in ~/.local/share/kitty/cat.py could potentially regain access.

• Use short-lived tokens that expire after each workflow run.
• Restrict CI/CD runner permissions to only what is needed.
• Audit all workflows that have write access to repositories.
• Monitor for unexpected GitHub repository creations under your organization.

Step 7: Educate Maintainers and Establish Incident Response

The AntV attack is part of a growing trend: April saw a handful of SAP packages, then 169 in the TanStack wave, and now 317. Each wave is faster and broader.

• Train maintainers to recognize social engineering attempts (the attacker@hust.cc account was likely phished).
• Create a runbook for when a malicious version is detected: stop all publishes, notify users, revoke tokens, and publish a clean version.
• Participate in shared threat intelligence (e.g., npm security advisories, Aikido Security reports).

Tips

• Assume breach – If you maintain popular packages, treat any unusual account activity as a compromise until proven otherwise.
• Use package integrity checks – Always verify package contents against checksums or use locked dependency files (e.g., package-lock.json).
• Monitor your namespace – Set up alerts for new versions of your packages, especially those outside normal maintainer patterns.
• Back up tokens offline – Keep a secure, offline copy of critical tokens to recover quickly if they are revoked.
• Stay updated – Follow upstream advisories from AntV, SafeDep, Wiz, and npm itself. The methods used by TeamPCP will likely evolve.
• Test your response – Regularly simulate a supply chain incident to ensure your team can react within minutes, not hours.