The npm account atool was compromised on May 19, 2026, and the attacker published 637 malicious versions across 317 packages in a 22-minute automated burst. Affected packages include size-sensor (4.2M downloads/month), echarts-for-react (3.8M), and hundreds of @antv scoped packages. The payload is a 498KB obfuscated Bun script matching the Mini Shai-Hulud toolkit used in a SAP compromise three weeks earlier.

The malware harvests credentials across the full AWS chain, Kubernetes tokens, GitHub PATs, and SSH keys. Stolen data gets exfiltrated by committing it as Git objects to public GitHub repos. In CI, the payload exchanges GitHub Actions OIDC tokens for npm publish tokens, signs artifacts via Sigstore, and injects persistence into .github/workflows/codeql.yml. It also hijacks Claude Code and Codex via SessionStart hooks.

A persistent systemd service installs a GitHub dead-drop C2 backdoor that polls commit messages for RSA-signed commands containing the keyword firedalazer. The attack runs two execution paths: preinstall hooks and optionalDependencies pointing to imposter commits in the antvis/G2 repository, surviving even if preinstall hooks are blocked. Auditing tools like Package Manager Guard can help by refusing packages published during configurable time windows.