🚨 SlowMist TI Alert 🚨 The Shai-Hulud malware has resurfaced via the npm account atool(i@hust.cc), with over 600 malicious versions published. Notably, high-download packages such as size-sensor@1.1.4 (4.2M dl/mo), echarts-for-react@3.1.7 (3.8M dl/mo), and @antv/scale@0.6.2 (2.2M dl/mo) are at elevated risk. The attack carries risks: 1. AI agent hijacking: Claude Code, Codex, and VS Code tasks can trigger a Bun bootstrapper that re-executes the malicious payload. 2. Credential harvesting: The malware collects credentials from cloud services, GitHub, npm, local environments, and CI/CD pipelines. Using ^ to specify version ranges may cause npm to automatically install versions that have been compromised or contain security risks. Detection & Mitigation Measures: • Audit dependencies for any package published by atool (i@hust.cc) and check for suspicious preinstall scripts • Remove compromised packages and rotate all exposed credentials • Inspect CI/CD pipelines and local Node.js projects for malicious hooks or workflows • Revert to safe package versions or known-good dependencies ⚠️ Critical Action: Treat any system with affected packages as potentially compromised. Apply mitigation steps immediately.