← Back to Blog

AI npm Supply Chain Attack Monitor: Catch Package Hijacks Before They Hit Your Stack

May 19, 2026: an attacker compromised the npm account atool and published 637 malicious versions across 317 packages in 22 minutes. Affected packages include size-sensor (4.2M downloads/month), echarts-for-react (3.8M), and timeago.js (1.15M). The payload harvested credentials across the full AWS chain, exfiltrated GitHub tokens, and — critically — hijacked Claude Code and Codex AI sessions. Here's how to build an AI agent that catches the next one.

Published by GetClawCloud · May 19, 2026

The Mini Shai-Hulud attack isn't just another npm security incident. It represents a step-change in sophistication that every developer needs to understand:

Attack profile: Mini Shai-Hulud (May 19, 2026)

317 packages compromised in a 22-minute automated burst — 637 malicious versions total
Payload: 498KB obfuscated Bun script harvesting AWS keys (env vars, EC2 IMDS, ECS metadata, Secrets Manager), Kubernetes SA tokens, HashiCorp Vault, GitHub PATs, npm tokens, SSH keys, and more
Exfiltration via GitHub commits — stolen data committed as Git objects to public repos with Dune-themed names
Sigstore signing with stolen OIDC tokens created legitimately-signed malicious artifacts
AI agent hijacking — injected Claude Code SessionStart hooks, Codex hooks, and VS Code runOn: "folderOpen" tasks that re-execute the malware on every AI session
Persistence — systemd service / macOS LaunchAgent polling GitHub for RSA-signed C2 commands
Lockfile poison — anyone who npm install with a semver range (e.g., ^3.0.6) auto-resolved to the compromised version

The scary part isn't just the scale. It's that the attacker specifically targeted AI coding agent workflows. If you use Claude Code, Codex, or VS Code with AI tools, and one of your 317 transitive dependencies got pulled in, your AI assistant silently became a malware delivery system.

        The npm supply chain is a 3-million-package attack surface. You can't manually vet every update. You need an AI agent watching your dependency tree — because the attackers are already using AI to write theirs.
      

Why Traditional npm Security Tools Aren't Enough

You probably already use npm audit or Snyk or Dependabot. Here's why they didn't catch Mini Shai-Hulud — and an AI agent does:

Approach	Detection	Response Time	Covers AI Hijack	Fails When
npm audit	Known CVEs only	Hours-days	No	Supply chain isn't a CVE yet
Dependabot	Known vulns + alert	Hours-days	No	Needs advisory published first
Snyk / Socket	Behavioral + CVE	Minutes-hours	Partial	OSINT + C2 detection blind spots
AI npm Monitoring Agent	OSINT + behavioral + C2 pattern + AI-specific	Near real-time	Yes — detects session hook injection	Needs web access and prompt configuration

The gap is multisource correlation. An AI agent can simultaneously monitor npm advisory feeds, GitHub security alerts, Hacker News, X/Twitter security accounts, blog posts from threat researchers (like SafeDep), and real-time package registry changes — and correlate them into an alert that actually means something.

What an AI npm Supply Chain Attack Monitor Actually Tracks

🔴 Package Integrity Signals

Unusual publish patterns (mass version bumps), sudden preinstall scripts, new optionalDependencies pointing to GitHub SHAs, abrupt maintainer changes, and unexpected new dependencies. Mini Shai-Hulud hit all five.

⚡ Real-Time Threat Feeds

Scans GitHub Security Advisories, npm advisory database, NVD, SafeDep threat intel, and Hacker News for supply chain attack disclosures. If a package in your tree is named, you get alerted within minutes.

🔐 Credential Exposure Signals

Monitors for reports of credential harvesting in packages you depend on. The Mini Shai-Hulud payload targeted AWS full chain, GCP service accounts, Azure, Stripe keys, Slack tokens, SSH keys, and GitHub PATs — your agent watches for these disclosure patterns.

🤖 AI Workflow Integrity

Specifically checks for Claude Code SessionStart hooks (.claude/settings.json), Codex hooks, and VS Code tasks.json with runOn: "folderOpen" — the exact hijack vectors used in this attack. If a dependency introduces these files, your agent flags it as CRITICAL.

🔗 Transitive Dependency Monitoring

Not just your direct package.json — the agent monitors the full dependency tree. One compromised transitive dependency in antvis/G2 was enough to infect projects that never directly touch the scoped package.

📦 Lockfile Drift Detection

If a lockfile resolves to a different version than expected, the agent flags the delta. Mini Shai-Hulud specifically exploited semver ranges — ^3.0.6 silently resolved to a compromised version.

⚠ Critical: The AI session hijack vector
Mini Shai-Hulud was the first major supply chain attack that specifically targeted AI coding agents. It injected .claude/settings.json SessionStart hooks, Codex session hooks, and VS Code tasks.json auto-execution. If you use AI coding tools, this isn't just a dependency issue — it's an AI pipeline compromise. Your monitoring agent should flag any package that touches these paths.

The Prompt: Your AI npm Supply Chain Attack Monitor

The prompt below builds a complete npm dependency monitoring agent that runs in Telegram. Copy it, paste it into your OpenClaw bot, and describe your project's dependency tree. The agent will start scanning immediately.

How to use:

Deploy OpenClaw on GetClawCloud (one click, zero server config)
Paste this prompt as your first message
Send your package.json or list of critical packages — the agent profiles your dependency tree

You are an AI npm Supply Chain Attack Monitor. Your purpose is to track the user's npm dependency tree for supply chain attacks, credential harvesting malware, and AI workflow hijacking — delivering alerts to Telegram as threats are discovered. ## Workflow ### Phase 1: Dependency Profile Setup Ask the user to describe their stack: 1. **Core packages** — List every package in their direct `package.json` dependencies and devDependencies 2. **Critical transitive deps** — Any packages they're aware of that sit deep in their tree (e.g., antvis scoped packages, core-js, etc.) 3. **Version pinning** — Are they using exact versions, semver ranges (^/~), or lockfiles? This determines risk level. 4. **CI/CD tools** — GitHub Actions, GitLab CI, CircleCI, self-hosted runners? The Mini Shai-Hulud payload specifically targeted CI/CD token exchange. 5. **AI tools in use** — Claude Code, Codex, Cursor, VS Code with AI extensions? These determine whether AI hijack vectors apply. 6. **Cloud providers** — AWS, GCP, Azure? The payload specifically harvested credentials across these. 7. **Alert severity** — "Alert on all package changes" vs "Alert only on confirmed malicious disclosures" ### Phase 2: Continuous Package Monitoring Every monitoring cycle, search for threats across these layers: #### Layer 1: Package Integrity For each package in the user's tree: - Check npm registry for unusual recent publish activity: "npm [package] version history [month] [year] OR suspicious publishes OR sudden maintainer change" - Search for known malicious versions: "[package] npm malicious OR compromised OR backdoor [month] [year]" - Check preinstall/postinstall scripts: "[package] preinstall script OR postinstall OR setup script security" #### Layer 2: Supply Chain Attack Intel - General supply chain attacks: "npm supply chain attack [month] [year] OR package compromise OR account hijack" - "npm preinstall malware OR malicious npm package OR typosquatting OR dependency confusion" - "npm account compromised [month] [year] OR npm token leak OR npm OIDC attack" #### Layer 3: AI Workflow Hijack Detection This is the critical differentiator — specifically monitor for: - "Claude Code SessionStart malware OR .claude settings.json hijack OR Claude Code supply chain attack" - "Codex session hook malware OR AI coding agent supply chain compromise" - "VS Code tasks.json runOn folderOpen malware OR VS Code AI extension backdoor" - "[package] .claude OR .vscode/tasks.json OR session hook" - "AI coding agent malware OR AI assistant malicious package [month] [year]" #### Layer 4: Credential Harvesting Intelligence - "[package] credential harvesting OR credential stealer OR key exfiltration" - "AWS credential theft npm OR GitHub PAT stolen npm OR npm token exfiltration" - "[package] IMDS OR EC2 metadata OR ECS container OR Secrets Manager OR Stripe key" #### Layer 5: Persistence & C2 Patterns - "[package] systemd persistence OR LaunchAgent OR LaunchDaemon" - "[package] GitHub dead drop C2 OR commit-based C2 OR Git C2 channel" - "[package] Sigstore signing OR forged provenance OR malicious attestation" ### Phase 3: Correlation & Alerting When you detect signals, correlate them into threat levels: **🔴 CRITICAL** — Confirmed malicious package in the user's dependency tree with active exploitation - Alert immediately: "🚨 CRITICAL: [package] confirmed malicious — [reason]. This package [is/is not] in your tree. [Actionable steps follow]" **🟡 HIGH** — Suspicious activity or possible infection vector - "⚠ HIGH: [package] — [signal description]. Not confirmed malicious, but pattern matches known attack signatures. Recommended action: pin version to [recommended], audit [specific file paths]" **🔵 MEDIUM** — Industry-wide advisory or newly disclosed attack - "ℹ MEDIUM: New npm supply chain attack disclosed — [name]. Your tree [is/is not] affected. Details: [summary]" **⚫ LOW** — Informational; advisory not yet confirmed or affecting your tree - "📋 ADVISORY: [brief one-line description for awareness]" ### Phase 4: Remediation Guidance For every CRITICAL and HIGH alert, provide: 1. **Affected scope** — "This affects [specific packages] in your tree. [Direct or transitive] dependency." 2. **Version analysis** — "Safe version: [x.y.z]. Compromised versions: [range]. Your lockfile resolves to: [version]." 3. **Action steps** — Ordered, copy-paste commands: - `npm audit` first - Pin specific version: `npm install [package]@[safe-version] --save-exact` - Lockfile regeneration: `rm package-lock.json && npm install` - Dependency audit: Manually check [specific file paths] for [indicator files] - CI/CD rotation: "Rotate tokens in [GitHub/GitLab/CircleCI]" - AI tool check: "Check [.claude/settings.json, .vscode/tasks.json, .codex] for suspicious hooks" 4. **Post-remediation** — "After fixing, run this to verify: [verification step]" ## Rules - Only flag packages as CRITICAL if there's a credible, sourced disclosure — don't generate false positives from rumors. - Always provide source URLs for your alerts (advisory page, security researcher tweet, news article). - If the user reports a false positive, acknowledge and learn: "Noted — [package] is legitimate. I'll deprioritize this signal." - Output in Telegram-friendly format: bold for package names, bullet lists for signals, clean line breaks for alerts. - Weekly summary: every 7 days, deliver a "Supply Chain Health Report" covering: packages monitored, alerts issued (by severity), top threats, and any pending actions. ## Start Ask the user to send their `package.json`, list of critical packages, or describe their tech stack so you can build a monitoring profile.

💡 Works with any OpenClaw agent that has web search access. The same agent can monitor multiple projects — just provide separate dependency profiles.

Real Alert: What Mini Shai-Hulud Would Have Looked Like

If the monitoring agent had been active on May 19, here's the kind of alert it would have generated — within minutes of the SafeDep disclosure:

🚨 CRITICAL: npm supply chain attack in progress — Mini Shai-Hulud

Affected scope: 317 packages compromised. Check if any of these are in your tree:

size-sensor (4.2M downloads/month)
echarts-for-react (3.8M downloads/month)
@antv/scale (2.2M downloads/month)
timeago.js (1.15M downloads/month)
314 additional @antv scoped packages

Attack summary: Account atool compromised. 637 malicious versions published in 22 minutes. Payload: 498KB obfuscated Bun script harvesting AWS credentials, GitHub PATs, npm tokens, SSH keys. Includes Claude Code/Codex session hijack hooks and VS Code auto-execute tasks.

Action steps:

Audit lockfiles: Run npm audit and check for packages published by atool on May 19
Pin affected packages: npm install echarts-for-react@3.0.5 --save-exact (or whatever last safe version)
Check for persistence: ls ~/.local/share/kitty/, systemctl --user list-units | grep kitty
Check AI hooks: cat .claude/settings.json, cat .vscode/tasks.json
Rotate all tokens: GitHub PATs, npm tokens, AWS keys
Regenerate lockfile: rm package-lock.json && npm install && npm audit

Source: 🔗 safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised

This alert would have reached your Telegram within minutes of the SafeDep disclosure — not hours or days later when your Dependabot PR finally arrives.

Hardening Your npm Pipeline Against the Next Attack

A monitoring agent catches attacks. But you should also harden your pipeline to reduce exposure:

1. Pin exact versions for critical packages

--save-exact or use "echarts-for-react": "3.0.5" instead of "^3.0.6". Mini Shai-Hulud exploited semver ranges — pinned versions wouldn't auto-resolve to the malicious one.

2. Use ignore-scripts for installs

npm install --ignore-scripts during CI, then audit before running postinstall hooks. The Mini Shai-Hulud payload was delivered via preinstall scripts.

3. Audit lockfiles on every PR

Use the monitoring agent to scan lockfile diffs in CI. Any unexpected version resolution should block the merge.

4. Isolate AI tooling environments

Your Claude Code / Codex workspace should have separate node_modules from production code. If a dev dependency gets compromised, your production pipeline stays clean.

5. Use a dependency cooldown

Tools like Package Manager Guard (pmg) can refuse versions published inside a configurable window — blocking burst-style attacks like Mini Shai-Hulud.

        The Mini Shai-Hulud attack proved one thing: supply chain attacks now target AI workflows directly. Your dependency monitoring strategy must cover .claude/settings.json, .vscode/tasks.json, and Codex hooks — or your AI assistant becomes an attack vector.
      

Schedule It: Daily Dependency Scan on Autopilot

A single scan is useful. A daily dependency scan that automatically checks new advisories and alerts you to changes? That's real protection.

Set up recurring npm supply chain monitoring:


# Run npm supply chain scan every 6 hours
openclaw cron add --every 6h --text "Run npm supply chain attack monitor. Scan for new advisories on [configured packages]. Alert if any new threats found."

Combined with the monitoring agent, this means your Telegram becomes the earliest warning system for package compromises in your dependency tree.

Getting Started in 2 Minutes

Deploy OpenClaw on GetClawCloud — one click, zero server configuration
Paste the prompt above, then send your package.json or describe your stack
Schedule it with cron for daily dependency health checks

The next supply chain attack is already being planned. Attackers learned from Mini Shai-Hulud — they'll move faster, target bigger packages, and weaponize more AI hijack vectors. Your monitoring needs to move at AI speed too.

Build Your npm Supply Chain Attack Monitor

Deploy OpenClaw in one click, paste the monitoring prompt, and get Telegram alerts before the next package compromise hits your stack.

Start on GetClawCloud →