Mini Shai-Hulud Hits Hundreds of npm Packages in AntV Ecosystem

**Mini Shai-Hulud supply-chain campaign (executive summary):** The Mini Shai-Hulud worm resurfaced on May 19 in a coordinated wave that published hundreds of malicious npm package versions (639 malicious versions across 323 packages in the AntV wave; 1055 compromised versions across 502 packages across ecosystems), installing preinstall hooks that run an obfuscated Bun bundle to harvest cloud credentials, CI/CD tokens, SSH keys, Kubernetes service account tokens and password vaults, exfiltrating data via GitHub repositories created with stolen tokens; attackers used optionalDependencies pointing to orphan commits in a trusted repo (antvis/G2) to evade inspection and the activity is attributed to a financially motivated cluster (TeamPCP), prompting urgent recommendations to pin pre-May 19 dependency versions, rotate exposed credentials, and audit for campaign markers.