MAL-2026-3968 Malicious code in @antv/g-webgpu-compiler (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/g-webgpu (>=0.1.0-alpha.0 <=0.4.1), @antv/g-webgpu-core (>=0.1.0-alpha.0 <=0.4.1) +2 more potentially affected by unknown CVE via @antv/g-webgpu-compiler (>=0.1.2 <=0.6.0)

@antv/g-webgpu-compiler NPM version =0.1.2, =0.1.0-alpha.0, =0.1.0-alpha.0, =0.1.0-alpha.0, =0.5.0, =0.6.0 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGWEBGPUCOMPILER-16754459...