Mini Shai-Hulud targets AI coding agents: what developers need to know

TL;DR overview

• Mini Shai-Hulud is the first supply chain attack to persist through AI coding agent sessions, silently re-executing every time a developer opens an infected project.
• It injects hooks into agent and editor configuration directories that fire with full permissions and no visible output, spreading across every repository on the machine.
• SonarQube's dependency verification, SCA daily rescans, and secrets detection rules provide checkpoints that reduce both exposure and blast radius.
• AI coding agents are infrastructure now, and their configuration files are attack surface that warrants the same scrutiny as CI/CD workflows.

You clone a repo, and Claude Code opens it. The .claude/settings.json it finds has a SessionStart hook that runs node .claude/setup.mjs. A bootstrapper silently downloads Bun 1.3.14, re-executes a credential harvester that reads 80+ environment variables and 130+ file paths, and sends the results to a command-and-control server disguised as an OpenTelemetry endpoint. Nothing appears in the terminal, so you switch to another project, and the same thing happens again.

This is Mini Shai-Hulud, the first in-the-wild supply chain attack designed to persist through AI coding agent sessions. The attack started with a compromised npm maintainer account named atool, the account that controls timeago.js and the broader @antv namespace. Using the compromised credentials, the attacker pushed malicious versions across ~323 packages in rapid automated bursts on May 19, 2026, affecting millions of downloads weekly. Socket.dev, SafeDep, and StepSecurity published thorough IOC breakdowns within hours. What those analyses cover well is the credential harvesting scope, the worm propagation mechanics, and the detection indicators. The AI agent persistence layer, however, is the part that’s actually new, and not much time is spent on this.

How Mini Shai-Hulud hijacks your agent

Previous npm supply chain attacks ran their payload once, during npm install, through a preinstall or postinstall lifecycle hook. Mini Shai-Hulud does that too, using preinstall: bun run index.js as its first infection vector. A second, redundant vector injects optionalDependencies pointing to orphan commits pushed to the antvis/G2 repository via a deleted fork. The injected commit's package.json declares a prepare hook instead of preinstall, which fires during git dependency resolution even when preinstall scripts are blocked, and unfortunately, the payload doesn't stop at credential harvesting. Exfiltrated data leaves through encrypted HTTPS posts to a C2 server disguised as an OpenTelemetry collector endpoint, and from commits pushed to GitHub repositories via the victim's stolen token. The GitHub exfiltration channel is separate from the orphan commit payload delivery mechanism as the orphan commits in G2 deliver the malware whereas the API-based commits extract stolen data. The payload then writes persistence artifacts into the project's AI agent configuration directories.

For Claude Code, the worm injects a SessionStart hook into .claude/settings.json that executes node .claude/setup.mjs on every session. For VS Code, it writes a .vscode/tasks.json entry with "runOn": "folderOpen" that auto-executes when the editor opens the project. Both artifacts trigger a process to download Bun, re-execute the credential harvester, and scan the local filesystem for more projects to infect.

.claude/ and .vscode/ directories are trusted execution infrastructure, which is why this works so well. SessionStart hooks fire before any user interaction, with the agent's full permissions, and produce no prompt, confirmation dialog, or visible output. The attack treats AI coding agents as infrastructure it can camp inside to re-execute indefinitely, similar to the way earlier malware treated cron jobs or systemd services.

The local project scanning component makes this a worm in the traditional sense. An infected repo's payload scans the developer's filesystem for other Claude Code and VS Code configurations and injects the same hooks, so one compromised dependency in one project can spread the persistence layer across every repository on the machine. AI coding agents operate across multiple repositories in a single session, so the cross-project spread happens through normal development activity.

Mini Shai-Hulud also installs system-level persistence (a kitty-monitor daemon that polls GitHub for signed C2 commands, a gh-token-monitor service that continuously validates stolen tokens), but the AI agent hijacking is the novel contribution. Previous Shai-Hulud variants used cron and systemd, and this wave added Claude Code and VS Code as first-class persistence targets.

The checkpoints SonarQube puts in the path

SonarQube operates at the dependency verification and secrets hygiene layers, and both are directly relevant to reducing exposure and blast radius from attacks like this one. Other layers in the defense stack cover real-time registry scanning and CI/CD runtime monitoring. Supply chain defense requires all of these layers working together, and SonarQube provides checkpoints at many of them.

Dependency pre-flight via the MCP server. When an AI coding agent adds or updates a dependency, SonarQube's MCP server requires calling check_dependency before modifying any manifest or lockfile. The tool checks the package against the OpenSSF Malicious Packages database (included in the OSV dataset that SonarQube Advanced Security sources from). For a catalogued malicious package, the response is unambiguous:

"purl": "pkg:npm/example-compromised-pkg@2.0.1",

The AI agent is directed not to proceed. The MCP server instructs the agent through its system prompt, and compliance depends on the agent following the directive, so it’s a guardrail rather than a hard block. For the AI agent infection vector specifically, where the worm propagates by injecting malicious dependencies into projects that agents subsequently work on, the check_dependency checkpoint sits directly in the propagation path. Detection of these dependencies depends on database freshness. The OpenSSF Malicious Packages database is populated by behavioral scans of newly published packages, and there's inherent latency between a malicious version hitting npm and its entry appearing in that database. Once catalogued, though, every agent session that tries to add the dependency hits the checkpoint.

SCA daily rescan as incident response. SonarQube Advanced Security's software composition analysis runs periodic re-analysis of existing branches (configurable as daily, weekly, or never). A project that installed a compromised @antv version before the packages were catalogued would be flagged on the next rescan after the OpenSSF database updated, surfaced as a BLOCKER-severity malicious package risk that fails the quality gate. Many organizations don't re-audit their lockfiles after supply chain incidents are reported, so the daily rescan means affected projects surface in the SonarQube dashboard without manual lockfile audits, and the quality gate failure forces attention even if the team missed the initial security advisories.

Secrets hygiene as blast radius reduction. Mini Shai-Hulud's damage is proportional to the credentials it harvests. The worm targets 80+ environment variables and 130+ file paths including ~/.ssh/*, ~/.aws/credentials, and ~/.npmrc, plus database connection strings, crypto wallet files, and password manager vaults. SonarQube's secrets detection rules (S6418 for hard-coded secrets, S2068 for hard-coded credentials in connection strings, plus hundreds of additional patterns in the Advanced Security commercial rules) catch credentials committed to source code and configuration files. Organizations that enforce these rules through quality gates have fewer credentials stored where the worm can reach them, which directly reduces blast radius. The worm's primary harvesting vector is local filesystem and environment variables on the developer's machine, but it also scans repository contents, and projects with strict secrets hygiene give it less to work with on that front.

The SonarQube CLI's sonar integrate claude command extends this hygiene into agent sessions by installing pre-tool hooks that scan for secrets before Claude Code reads or writes files. The security boundary these hooks create around Claude Code sessions is worth establishing as a baseline, especially since the attack specifically targets the .claude/ directory. The hooks are scoped to credential detection rather than general malware analysis, so a SessionStart hook running node .claude/setup.mjs wouldn't trigger on its own, but any file the bootstrapper touches that contains recognizable secrets would be flagged.

What to do now

If your projects depend on packages in the @antv scope, echarts-for-react, timeago.js, size-sensor, or any of the other affected libraries, start with these steps:

• Audit .claude/ and .vscode/ directories across all repositories. Look for SessionStart hooks in .claude/settings.json that you didn't add, setup.mjs files, and .vscode/tasks.json entries with "runOn": "folderOpen". The Intrudify scanner automates detection of persistence artifacts.
• Rotate credentials. npm tokens, GitHub PATs, SSH keys, cloud credentials (AWS, GCP, Azure), and CI/CD secrets. The worm validates stolen npm tokens against the registry API in real time, so assume compromised tokens have been used.
• Run sonar integrate claude if you use Claude Code to establish a security boundary around agent sessions.
• Check lockfiles for package versions published between May 11 and May 19, 2026. Affected scopes include @antv, @tanstack, @uipath, @mistralai, @squawk, @tallyui, and @beproduct.
• Enable SCA with a quality gate condition on malicious packages if you haven't already. The daily rescan will catch affected dependencies that were installed before the packages were catalogued. Requires SonarQube Advanced Security.
• Check for system-level persistence. Look for kitty-monitor and gh-token-monitor services in systemd user units or macOS LaunchAgents. Check ~/.local/share/kitty/cat.py and ~/.local/bin/gh-token-monitor.sh.

AI coding agents are infrastructure now, and infrastructure gets targeted. .claude/settings.json and .vscode/tasks.json are configuration files with execution semantics, which means they're attack surface. Treating them with the same scrutiny you'd give a Dockerfile or a GitHub Actions workflow is the minimum baseline going forward.