npm

@antv/l7-district

@antv/l7-district is identified in the SafeDep analysis "Mini Shai-Hulud Strikes Again: 317 npm Packages Compromised". A compromised npm maintainer account published 637 malicious versions across 317 packages including size-sensor, echarts-for-react, timeago.js, and hundreds of @antv scoped packages, affecting 15M+ monthly downloads.

discovered 2026-05-19

Threat types

credential_stealer

Malicious versions

2.4.12
2.5.12

Campaigns

Mini Shai-Huludattributed-to

Indicators

domaint.m-kosche.comcommunicates-with
ipv4169.254.169.254communicates-with
ipv4169.254.170.2communicates-with
sha256a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1cindicates
sha11916faa365f2788b6e193514872d51a242876569indicates
sha17cb42f57561c321ecb09b4552802ae0ac55b3a7aindicates
sha1dc3d62a2181beb9f326952a2d212900c94f2e13dindicates
sha1de0fac2e4500dabe0009e67214ff5f5447ce83ddindicates
sha1bbbca2ddaa5d8feaa63e36b76fdaad77386f024findicates
email[email protected]exfiltrates-to
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1528 Steal Application Access Tokenuses
ttpT1105 Ingress Tool Transferuses
ttpT1102 Web Serviceuses

Read the full analysis →