Malicious code in @antv/g6-ssr (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-3986 Malicious code in @antv/g6-editor (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/g6 (>=4.1.0 <=4.1.16), @antv/g6-pc (>=0.0.1 <=0.1.3) +5 more potentially affected by unknown CVE via @antv/g6-element (>=0.0.1 <=0.0.9)

@antv/g6-element NPM version =0.0.1, =4.1.0, =0.0.1, =2.0.0, =2.0.6, =0.0.1, =0.0.1, =0.0.3 - motif-jupyter =0.0.1-beta.5 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3987...

@antv/d3-interpolate (>=1.0.2 <=1.0.3), @antv/g-base (=0.5.13) +1 more potentially affected by unknown CVE via @antv/d3-color (=1.0.0)

@antv/d3-color NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/d3-color and may be impacted: - @antv/d3-interpolate =1.0.2, =1.0.3 - @antv/g-base =0.5.13 - @yogeshcl/g6-react-ba =0.0.6 Source cves: unknown CVE Source advisory:...

@antv/g6 (>=5.0.0-alpha.1 <=5.0.0-beta.28) potentially affected by unknown CVE via @antv/layout-wasm (=1.3.1)

@antv/layout-wasm NPM version =1.3.1 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/layout-wasm and may be impacted: - @antv/g6 =5.0.0-alpha.1, =5.0.0-beta.28 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4058...

MAL-2026-3985 Malicious code in @antv/g6-core (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/g-base (=0.5.13), @yogeshcl/g6-react-ba (=0.0.6) potentially affected by unknown CVE via @antv/d3-interpolate (=1.0.3)

@antv/d3-interpolate NPM version =1.0.3 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/d3-interpolate and may be impacted: - @antv/g-base =0.5.13 - @yogeshcl/g6-react-ba =0.0.6 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3866...

@antv/g6 (>=4.1.0 <=4.1.12-beta.3), @antv/graphin (>=2.0.0 <=2.0.1) +1 more potentially affected by unknown CVE via @antv/g6-pc (>=0.0.1 <=0.0.9)

@antv/g6-pc NPM version =0.0.1, =4.1.0, =2.0.0, =2.0.9, =2.0.10 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3991...

@antv/g6 (>=4.1.0 <=4.1.16), @antv/g6-element (>=0.0.1 <=0.0.16) +10 more potentially affected by unknown CVE via @antv/g6-core (>=0.0.1 <=0.0.9)

@antv/g6-core NPM version =0.0.1, =4.1.0, =0.0.1, =0.0.1, =0.0.1, =1.3.0, =2.0.0, =2.0.6, =0.0.1, =0.0.1, =0.5.85-1, =2.0.64 - motif-jupyter =0.0.1-beta.5 - yccw-common =0.5.85 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3985...

base-flow (=1.0.6), cmp-graph (>=0.0.1 <=0.0.5) +11 more potentially affected by unknown CVE via @antv/g6-editor (>=1.0.8 <=1.2.0)

@antv/g6-editor NPM version =1.0.8, =0.0.1, =1.0.13, =1.0.0, =0.1.0, =1.0.0, =0.0.1, =0.1.0, =0.0.2, =0.2.5, =0.2.6 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3986...

Malicious code in @antv/g6-plugin (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/g6-cli (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/g6 (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/g6 (>=4.1.0 <=4.1.16), @antv/g6-pc (>=0.0.1 <=0.1.3) +5 more potentially affected by unknown CVE via @antv/g6-plugin (>=0.0.1 <=0.0.9)

@antv/g6-plugin NPM version =0.0.1, =4.1.0, =0.0.1, =2.0.0, =2.0.6, =0.0.1, =0.0.1, =0.0.3 - motif-jupyter =0.0.1-beta.5 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3992...

@antv/g-canvas (>=2.0.0 <=2.0.52), @antv/g-canvaskit (>=1.0.0 <=1.0.51) +7 more potentially affected by unknown CVE via @antv/g-plugin-canvas-renderer (>=2.0.0 <=2.5.1)

@antv/g-plugin-canvas-renderer NPM version =2.0.0, =2.0.0, =1.0.0, =1.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.58 - @antv/g6 =5.0.46 - @antv/s2 =2.4.12-alpha.1 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3937...

Malicious code in @antv/g6-extension-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

chrisbao_package1 (>=1.0.0 <=1.0.1), dss-bloodrelation (>=1.0.0 <=1.0.6) +4 more potentially affected by unknown CVE via @antv/g6-plugins (=1.0.9)

@antv/g6-plugins NPM version =1.0.9 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/g6-plugins and may be impacted: - chrisbaopackage1 =1.0.0, =1.0.0, =0.1.0, =1.3.7, =1.1.0, =1.1.2 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3994...

@luo-luo/material (>=0.0.1 <=0.0.5-alpha), @yccw/common (>=0.5.85-1 <=2.0.64) +4 more potentially affected by unknown CVE via @antv/g6-react-node (>=1.4.4 <=1.4.8)

@antv/g6-react-node NPM version =1.4.4, =0.0.1, =0.5.85-1, =1.3.0, =1.5.0 - yccw-common =0.5.85 - zzcom =1.0.0 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3995...

@ant-design/graphs (>=2.0.0 <=2.0.4), @antv/g6-extension-react (>=0.0.1 <=0.1.19) potentially affected by unknown CVE via @antv/react-g (=2.1.1)

@antv/react-g NPM version =2.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/react-g and may be impacted: - @ant-design/graphs =2.0.0, =0.0.1, =0.1.19 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4076...

@agentscope-ai/chat (>=1.1.43 <=1.1.63-beta.1778041790294), @ant-design/charts (>=2.2.2 <=2.6.7) +115 more potentially affected by unknown CVE via @antv/g6 (>=5.0.27 <=5.1.1)

@antv/g6 NPM version =5.0.27, =1.1.43, =2.2.2, =2.0.0, =1.0.0, =0.0.1, =0.0.1, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0-beta.0, =1.0.1, =2.0.0 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3982...