PANews reported on May 20th that, according to threat intelligence released by SlowMist, several high-frequency npm packages, including AntV, Echarts-for-react, and the Python SDK durabletask, have recently been attacked by the Mini Shai-Hulud supply chain. On May 19th, the npm account atool was compromised, and the attacker automatically released 637 malicious versions involving 317 packages within 22 minutes. From 00:19 to 00:54 Beijing time on May 20th, the attacker continuously uploaded versions 1.4.1, 1.4.2, and 1.4.3 of durabletask within 35 minutes, bypassing normal release controls and impersonating official Microsoft releases.

The massive GitHub token leak and the ransomware attack on Grafana Labs are likely related to this supply chain attack. Affected components include frequently used components in the npm ecosystem such as AntV and Echarts-for-react, as well as the Python packages durabletask 1.4.1, 1.4.2, and 1.4.3. Attackers can steal cloud and on-premises credentials, gain unauthorized access to internal repositories and sensitive cloud infrastructure, move laterally to developer machines and CI/CD pipelines, sell and exploit leaked GitHub tokens, and carry out ransomware and data breach threats. SlowMist recommends immediately rotating all exposed credentials, replacing affected packages, isolating potentially infected systems, and implementing strict dependency review policies.

Previous reports indicated that the "mini sandworm" worm has recently caused widespread infections in open-source code repositories, and developers should be vigilant and investigate .