A new wave of the Mini Shai-Hulud npm worm hit the registry in the early hours of May 19, 2026, compromising 317 packages across 639 malicious versions in two waves at 01:39 UTC and 02:06 UTC. The compromised AntV maintainer account publishes timeago.js (1.5M weekly downloads), echarts-for-react (3.8M), size-sensor (4.2M), and 100+ scoped @antv packages used across React charting and graph-visualization stacks.

The payload is built for AI coding agents. It rewrites .claude/settings.json and .vscode/tasks.json so the malware re-executes inside every Claude Code, Codex, and Cursor session, then harvests AWS, GitHub, npm, SSH, Kubernetes, and Stripe credentials.

What creators should do in the next hour

If you ran npm install against any project that touches @antv, echarts-for-react, timeago.js, size-sensor, or canvas-nest.js between 01:30 UTC and 03:00 UTC on May 19, treat the workstation as compromised. The fastest containment sequence, drawn from the StepSecurity writeup:

  1. Quit Cursor, VS Code, Claude Code, and any Codex CLI session.
  2. Delete node_modules and the lockfile, then pin the affected packages to a known-good version before reinstalling.
  3. Open .claude/settings.json and .vscode/tasks.json in every recent project and remove any SessionStart hook or folderOpen task you did not write.
  4. Rotate npm tokens, GitHub PATs, AWS keys, and SSH keys. Enable 2FA on the npm account if you have not already.
  5. Grep for the string kitty-monitor and for any .github/workflows/codeql.yml you did not author. Both are persistence artifacts.

Why it matters

This is the second npm supply-chain attack in five days that targets AI coding agents. The May 15 TanStack incident aimed at OpenAI Codex users; the May 19 AntV wave broadens the target to anyone whose IDE runs an agent that reads workspace settings. Settings files that auto-execute on session start were designed for productivity, and worms now use them as launch points. For solo creators, a single compromised preinstall hook can leak the Claude API token, the Stripe key, and the Figma OAuth all at once.

Key details

Persistence runs on three layers: a systemd or LaunchAgent daemon named kitty-monitor polls GitHub's commit-search API hourly for RSA-signed remote commands; a codeql.yml workflow injected into compromised repos exfiltrates secrets on every push; and the IDE settings hooks re-arm the malware whenever a developer opens the project. Wave 2 added Bun as an explicit npm dependency to make the payload more reliable across environments. The compromised packages span the AntV organization: G2, G6, X6, L7, S2, F2, and Graphin, along with timeago.js, canvas-nest.js, and size-sensor.

The same toolkit was used in the SAP compromise three weeks ago. The April-May pattern across pip and npm makes one thing clear: maintainer accounts are the weakest link in any AI-agent workflow.

What to watch next

npm has revoked the compromised versions and the @antv team is publishing post-mortems, but the leaked Shai-Hulud toolkit means the next wave is a question of when, not if. Add the affected package names to your CI's allowlist so a future republish does not slip through, and treat any AI-agent settings file the way you treat shell rc files: version-controlled, reviewed on every change.