MAL-2026-3956 Malicious code in @antv/g-plugin-webgl-renderer (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/g-mobile-webgl (>=1.0.0 <=1.1.1), @antv/g-plugin-3d (>=2.0.0 <=2.1.1) +6 more potentially affected by unknown CVE via @antv/g-plugin-device-renderer (>=2.0.0 <=2.6.1)

@antv/g-plugin-device-renderer NPM version =2.0.0, =1.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =0.2.0, =0.1.0, =1.0.2, =1.0.8 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGPLUGINDEVICERENDERER-16754932...

@antv/g-mobile-webgl (>=0.0.2 <=0.0.4-alpha.16), @antv/g-plugin-3d (>=1.0.0-alpha.1 <=1.0.24-alpha.16) +1 more potentially affected by unknown CVE via @antv/g-plugin-webgl-renderer (=1.0.26)

@antv/g-plugin-webgl-renderer NPM version =1.0.26 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/g-plugin-webgl-renderer and may be impacted: - @antv/g-mobile-webgl =0.0.2, =1.0.0-alpha.1, =1.0.0-alpha.0, =1.0.26-alpha.16 Source cves: unknown CV...

@antv/g-mobile-canvas (>=1.0.0 <=1.0.49), @antv/g-mobile-svg (>=1.0.0 <=1.0.46) +1 more potentially affected by unknown CVE via @antv/g-plugin-mobile-interaction (>=1.0.0 <=1.0.9)

@antv/g-plugin-mobile-interaction NPM version =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.56 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGPLUGINMOBILEINTERACTION-16754986...

@antv/g-mobile-canvas (>=1.0.0 <=1.0.49), @antv/g-mobile-svg (>=1.0.0 <=1.0.46) +1 more potentially affected by unknown CVE via @antv/g-plugin-mobile-interaction (>=1.0.0 <=1.0.9)

@antv/g-plugin-mobile-interaction NPM version =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.56 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGPLUGINMOBILEINTERACTION-16754817...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

@antv/g-canvas (>=2.0.0 <=2.0.52), @antv/g-canvaskit (>=1.0.0 <=1.0.51) +9 more potentially affected by unknown CVE via @antv/g-plugin-html-renderer (>=2.0.0 <=2.3.1)

@antv/g-plugin-html-renderer NPM version =2.0.0, =2.0.0, =1.0.0, =1.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.56 - @antv/g6 =5.0.46 - @antv/g6-extension-3d =0.1.20 - @antv/s2 =2.4.12-alpha.1 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGPLUGINHTMLRENDERER-16754947...

@antv/g-mobile-canvas (>=1.0.0 <=1.1.1), @antv/g-mobile-svg (>=1.0.0 <=1.1.1) +1 more potentially affected by unknown CVE via @antv/g-plugin-gesture (>=2.0.0 <=2.1.1)

@antv/g-plugin-gesture NPM version =2.0.0, =1.0.0, =1.0.0, =1.0.0, =1.1.1 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGPLUGINGESTURE-16754438...

@antv/g-web-components (>=2.0.0 <=2.1.1), @antv/g6-extension-3d (>=0.1.0 <=0.1.23) +1 more potentially affected by unknown CVE via @antv/g-webgl (>=2.0.0 <=2.1.1)

@antv/g-webgl NPM version =2.0.0, =2.0.0, =0.1.0, =1.0.2, =1.0.8 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGWEBGL-16755014...

@antv/g-web-components (>=2.0.0 <=2.1.1), @antv/g6-extension-3d (>=0.1.0 <=0.1.23) +1 more potentially affected by unknown CVE via @antv/g-webgl (>=2.0.0 <=2.1.1)

@antv/g-webgl NPM version =2.0.0, =2.0.0, =0.1.0, =1.0.2, =1.0.8 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGWEBGL-16754845...

@antv/g-canvas (>=2.0.0 <=2.0.52), @antv/g-canvaskit (>=1.0.0 <=1.0.51) +15 more potentially affected by unknown CVE via @antv/g-plugin-image-loader (>=2.0.0 <=2.3.1)

@antv/g-plugin-image-loader NPM version =2.0.0, =2.0.0, =1.0.0, =1.0.0, =1.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.56 - @antv/g6 =5.0.46 and more Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGPLUGINIMAGELOADER-16754818...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Astra Linux - уязвимость в chromium

Using after-free in WebGL in Google Chrome before version 146.0.7680.178 allowed a remote attacker to execute arbitrary code within a sandbox through a crafted HTML page. Chromium security severity: High...

Astra Linux - уязвимость в chromium

Inappropriate implementation in WebGL in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. Chromium security severity: Medium...

Astra Linux – Vulnerability in Firefox, Thunderbird

A malicious web page could have caused an out-of-bounds write in WebGL, resulting in memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird 91.10, Firefox 101, and Firefox ESR 91.10...

Astra Linux - уязвимость в chromium

Before version 146.0.7680.153, read and write operations in WebGL in Google Chrome allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. Chromium security severity: Critical...

Astra Linux – Vulnerability in Chromium

A heap buffer overflow in WebGL in Google Chrome prior to version 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page...

Astra Linux - уязвимость в chromium

A heap buffer overflow in WebGL in Google Chrome prior to version 146.0.7680.165 allowed a remote attacker to perform an out-of-bounds memory read through a crafted HTML page. Chromium security severity: High...

CVE-2026-22166 GPU DDK - Write UAF in KEGLGetPoolBuffers, WebGL reachable

A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable subsequent exploit on the...