SlowMist: Analysis Flags High-Volume Package Tampering, Token Theft, And Repository Breaches Across Open-Source Ecosystems

According to a report released by a blockchain security firm SlowMist on the social media platform X, a series of supply chain compromises affecting widely used software packages has been identified, with indications of a coordinated intrusion campaign referred to as “Mini Shai-Hulud.” The analysis suggests that several high-traffic npm libraries, including AntV and Echarts-for-react, alongside the Python-based durabletask SDK, were impacted by malicious releases distributed through compromised publishing credentials.

One incident described in the report occurred on 19 May 2026, when an npm account associated with the email [email protected] was allegedly compromised. This access reportedly enabled threat actors to publish a large number of tampered package versions, with 637 malicious releases pushed across 317 separate packages within a 22-minute window. The activity was characterized as an automated and high-speed deployment consistent with supply chain manipulation tactics.

Escalation Of Multi-Platform Supply Chain Intrusions And Credential Abuse Patterns

A second event was reported on 20 May 2026, Beijing time, involving the Python package durabletask. Multiple altered versions, including 1.4.1, 1.4.2, and 1.4.3, were reportedly released within a short span of approximately 35 minutes. According to the analysis, these updates bypassed standard release controls and appeared to imitate legitimate Microsoft software distribution channels, raising concerns about impersonation within trusted developer ecosystems.

The report further links these incidents to broader security compromises, including alleged GitHub token exposure events and a targeted attack against Grafana Labs. In the case of the GitHub-related incident, compromised credentials were reportedly obtained from an infected employee device, with indications that a malicious VS Code extension may have been involved. These credentials were allegedly used to access and potentially exfiltrate private repositories. Separately, Grafana Labs was reported to have experienced unauthorized repository access on 16 May 2026, followed by data exfiltration and a ransom demand.

The affected scope is described as extensive, spanning npm and Python ecosystems, developer authentication material, and internal infrastructure secrets. Reported targets include cloud access keys, GitHub personal access tokens, npm and PyPI credentials, Kubernetes secrets, Vault tokens, SSH keys, and other sensitive configuration files commonly present in development environments. Internal GitHub repositories and enterprise codebases were also identified as potential exposure points.

According to the threat analysis, the suspected attacker activity includes rapid credential theft following package installation, unauthorized access to internal systems, lateral movement across development and CI/CD infrastructure, and the resale or exploitation of leaked authentication tokens. Additional risks include supply chain propagation into dependent software projects and potential extortion attempts involving stolen data.

Recommended defensive measures outlined in the report include immediate rotation of exposed credentials across cloud and development platforms, verification and replacement of affected package versions, and isolation of potentially compromised systems for forensic review. Developers are also advised to inspect dependency lockfiles, monitor CI/CD logs for abnormal installations, and audit authentication events for signs of token misuse.

The guidance further emphasizes enhanced monitoring of credential usage, stricter validation of third-party dependencies, and proactive threat intelligence tracking for leaked secrets or related indicators of compromise. Security teams are additionally encouraged to monitor underground marketplaces for potential distribution of stolen credentials. The firm noted that it continues to track the situation and distribute updated intelligence to affected clients as the investigation develops.

The post SlowMist: Analysis Flags High-Volume Package Tampering, Token Theft, And Repository Breaches Across Open-Source Ecosystems appeared first on Metaverse Post.