The security incidents at GitHub and Grafana are likely related to a large-scale "mini sandworm" supply chain attack
By: rootdata|2026/05/20 13:43:14
0
Share
According to the threat intelligence released by Slow Fog, several high-frequency npm packages including AntV and Echarts-for-react, as well as the Python SDK durabletask, have recently been targeted by the Mini Shai-Hulud "mini sandworm" supply chain attack. The npm account atool was compromised, and the attacker automatically published 637 malicious versions within 22 minutes, affecting 317 packages. The attacker continuously uploaded durabletask versions 1.4.1, 1.4.2, and 1.4.3 within 35 minutes, bypassing normal release controls and impersonating an official Microsoft release.
The large-scale leak of GitHub tokens and the ransomware attack on Grafana Labs are likely related to this supply chain attack. Affected components include high-frequency components such as AntV and Echarts-for-react in the npm ecosystem, as well as Python packages durabletask 1.4.1, 1.4.2, and 1.4.3. Attackers can steal cloud and local credentials, gain unauthorized access to internal repositories and sensitive cloud infrastructure, move laterally to developer machines and CI/CD pipelines, sell and exploit leaked GitHub tokens, and implement extortion and data leak threats.
Slow Fog recommends immediately rotating all exposed credentials, replacing affected packages, isolating potentially infected systems, and implementing strict dependency review policies. Previously, it was reported that the "mini sandworm" worm has recently completed widespread infection in open-source code repositories, and developers should be vigilant in checking for issues.
You may also like
Duan Yongping establishes a position in a cryptocurrency company for the first time: Why Circle?
The stablecoin company represented by Circle is becoming the bridge that is easiest for traditional capital to understand and accept.
Vitalik: What is the key to the next phase of Ethereum?
"Code is law" — this is one of the earliest beliefs in the blockchain world. But what if the code itself has bugs? What if AI makes bugs ubiquitous? This is the question that Vitalik's latest long article attempts to answer.
Interlace: A global leader in Agentic Payment and stablecoin infrastructure platform, building the next generation of digital financial foundation
Interlace has launched two innovative products, Agent Card and Scan to Pay, bridging traditional finance and the crypto world, and comprehensively accelerating the integration of AI Agent consumption and stablecoin payments into everyday business scenarios with a more secure and efficient enterprise...
Morning Report | Musk's xAI launches Skills; Duan Yongping to first build position in Circle in Q1 2026; Polymarket partners with Nasdaq to launch prediction market
Overview of Important Market Events on May 19
Dialogue with Lead Bank Founder Jackie: American Banks Re-embrace Crypto
Excellent crypto companies are not those that are "best at circumventing regulations," but those that are "best at evolving in collaboration with regulations."
Vitalik: What we need to do is not to fight against AI, but to create a sanctuary
What is truly scarce is not computing power, but people who are willing to think proactively and retain sovereignty.
Morning News | VanEck and Grayscale submitted BNB ETF amendments on the same day; BlackRock discusses investing billions of dollars in SpaceX's IPO; Michael Saylor releases Bitcoin Tracker information again
Overview of Important Market Events on May 17
Crypto ETF Weekly | Last week, the net outflow of Bitcoin spot ETFs in the United States was $995 million; the net outflow of Ethereum spot ETFs in the United States was $255 million
Avenir Group solidifies its position as the largest Bitcoin ETF institutional holder in Asia, ranking first in the region for eight consecutive seasons.
This Week's News Preview | The Federal Reserve Releases the Last FOMC Minutes of the "Powell Era"
Highlights of the week from May 18 to May 24.
Blockchain Capital Partner: Most people's understanding of on-chain economy is narrow
In the author's view, the most astonishing things in the blockchain space have yet to be created. Flash loans give us a glimpse, but this is just the tip of the iceberg.
The ambition of "one account trading global assets": How does CoinUp.io break down asset barriers to become an industry dark horse?
Create a diversified financial ecosystem through collaboration between CEX and public chains.
How long will it take for the GPU futures market when computing power is commoditized?
Will computing power be the next major commodity? Examining the GPU futures market from five dimensions: it is still too early to talk about an explosion; the real breakthrough variable lies within the wave of open-source models and inference demand.
Harvard University loses $150 million in cryptocurrency! Has completely liquidated Ethereum and significantly reduced its Bitcoin ETF positions
In just two quarters, Harvard's public holdings in crypto assets fell from a peak of $443 million to about $117 million.
BNB Chain releases a research report exploring the migration path of BSC to post-quantum cryptography
The report explores the specific performance and implementation path impacts of replacing traditional blockchain cryptography with anti-quantum methods, including the use of ML-DSA-44 as a transaction signature scheme and the use of pqSTARK aggregated verifier consensus signatures.
After the number of developers was halved: Crypto is not dead, it has just handed over talent to AI
The trust, coordination, and verification issues encountered in the scaling of AI will ultimately require the mechanism design capabilities accumulated by the crypto industry to resolve.
"JUST 6th Anniversary x GasFree Super Carnival Month" is here: Enjoy "0" Gas transfer freedom and share a prize pool of 10,000 USDT
The total prize pool for this grand event reaches 10,000 USDT, covering multiple gameplay options such as the GasFree activation challenge, the exclusive prize pool for the pizza festival, the JUST 6th anniversary lucky koi, and knowledge competitions.
Morning News | AEON completes $8 million Pre-Seed round financing led by YZi Labs; Goldman Sachs liquidates XRP and Solana ETF holdings in Q1; Strategy increased its holdings by 24,869 BTC last week
Overview of Important Market Events on May 18
Capital Markets: How will independent agents obtain financing?
Agents are becoming real companies: signing contracts, opening accounts, taking orders, and sharing profits. When ten thousand such companies are operating simultaneously, who will lend to them? How do they obtain financing?
Duan Yongping establishes a position in a cryptocurrency company for the first time: Why Circle?
The stablecoin company represented by Circle is becoming the bridge that is easiest for traditional capital to understand and accept.
Vitalik: What is the key to the next phase of Ethereum?
"Code is law" — this is one of the earliest beliefs in the blockchain world. But what if the code itself has bugs? What if AI makes bugs ubiquitous? This is the question that Vitalik's latest long article attempts to answer.
Interlace: A global leader in Agentic Payment and stablecoin infrastructure platform, building the next generation of digital financial foundation
Interlace has launched two innovative products, Agent Card and Scan to Pay, bridging traditional finance and the crypto world, and comprehensively accelerating the integration of AI Agent consumption and stablecoin payments into everyday business scenarios with a more secure and efficient enterprise...
Morning Report | Musk's xAI launches Skills; Duan Yongping to first build position in Circle in Q1 2026; Polymarket partners with Nasdaq to launch prediction market
Overview of Important Market Events on May 19
Dialogue with Lead Bank Founder Jackie: American Banks Re-embrace Crypto
Excellent crypto companies are not those that are "best at circumventing regulations," but those that are "best at evolving in collaboration with regulations."
Vitalik: What we need to do is not to fight against AI, but to create a sanctuary
What is truly scarce is not computing power, but people who are willing to think proactively and retain sovereignty.
Customer Support:@weikecs
Business Cooperation:@weikecs
Quant Trading & MM:bd@weex.com
VIP Program:support@weex.com
