MAL-2026-3974 Malicious code in @antv/g2-brush (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-3973 Malicious code in @antv/g2 (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/g2-brush (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-3977 Malicious code in @antv/g2-extension-plot (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/g2 (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

1byte-react-design (>=1.7.1 <=1.14.0), @alicloud-panxi/aicoach-sdk (>=1.0.1 <=1.1.44) +192 more potentially affected by unknown CVE via @antv/g2 (>=5.0.0-beta.5 <=5.4.8)

@antv/g2 NPM version =5.0.0-beta.5, =1.7.1, =1.0.1, =2.0.0, =1.0.0, =2.0.0, =3.0.0, =3.0.0, =0.5.6, =5.1.5, =0.1.6, =0.1.0, =0.1.0, =0.0.1, =3.0.0-alpha.0, =2.1.2, =2.2.21 and more Source cves: unknown CVE Source advisory: SNYK:JS-ANTVG2-16754346...

1byte-react-design (>=1.7.1 <=1.14.0), @ant-design/charts (>=2.0.3 <=2.6.7) +100 more potentially affected by unknown CVE via @antv/g2-extension-plot (>=0.1.2 <=0.2.2)

@antv/g2-extension-plot NPM version =0.1.2, =1.7.1, =2.0.3, =1.0.0, =2.0.8, =0.0.1, =0.1.0, =1.0.0, =1.0.1, =2.0.2, =1.2.0, =4.1.13, =1.0.1, =3.0.28 and more Source cves: unknown CVE Source advisory: SNYK:JS-ANTVG2EXTENSIONPLOT-16754921...

datavis-editor (=0.1.0), datavis-editor-flow (=0.1.0) +1 more potentially affected by unknown CVE via @antv/g2-extension-ava (=0.2.0)

@antv/g2-extension-ava NPM version =0.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/g2-extension-ava and may be impacted: - datavis-editor =0.1.0 - datavis-editor-flow =0.1.0 - ty-chat-components-v1 =0.0.1, =0.0.5 Source cves: unknown CVE...

@alicloud/cloud-charts (>=0.1.0 <=0.1.10), @alicloud/console-charts (>=0.1.0 <=0.3.0) +140 more potentially affected by unknown CVE via @antv/g2-brush (=0.0.2)

@antv/g2-brush NPM version =0.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/g2-brush and may be impacted: - @alicloud/cloud-charts =0.1.0, =0.1.0, =0.0.113, =0.0.113, =0.1.4-beta-3.3, =2.5.1, =0.0.5, =0.0.5, =0.0.5, =0.0.5, =0.0.5, =0.0.5,...

datavis-editor (=0.1.0), datavis-editor-flow (=0.1.0) +1 more potentially affected by unknown CVE via @antv/g2-extension-ava (=0.2.0)

@antv/g2-extension-ava NPM version =0.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/g2-extension-ava and may be impacted: - datavis-editor =0.1.0 - datavis-editor-flow =0.1.0 - ty-chat-components-v1 =0.0.1, =0.0.5 Source cves: unknown CVE...

@antv/g2 (>=3.2.0 <=3.2.8-beta.6), @bizcharts/other-datamarker_dataregion (>=0.0.1 <=0.1.4) +22 more potentially affected by unknown CVE via @antv/interaction (>=0.0.8 <=0.1.5)

@antv/interaction NPM version =0.0.8, =3.2.0, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =1.0.0, =1.0.0, =1.0.4, =0.1.8, =1.0.4, =1.0.4, =0.1.4, =0.1.14, =0.1.5, =1.0.5, =3.0.1 and more Source cves: unknown CVE Source advisory: SNYK:JS-ANTVINTERACTION-16755011...

@antv/ava-react (>=3.0.0 <=3.3.2-beta.1), @antv/g2 (>=5.1.5 <=5.1.6-beta.1) +12 more potentially affected by unknown CVE via @antv/ava (>=3.0.0-alpha.0 <=3.4.1)

@antv/ava NPM version =3.0.0-alpha.0, =3.0.0, =5.1.5, =0.1.0, =1.0.0, =0.0.1-lb, =0.0.30, =0.0.0, =0.1.1, =1.1.1, =0.0.4, =0.0.1, =0.0.5 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVAVA-16754363...

@antv/gpt-vis (=0.5.0-beta.0), @antv/gpt-vis-ssr (>=0.1.0 <=0.3.8) +7 more potentially affected by unknown CVE via @antv/g2-ssr (>=0.0.8 <=0.2.0)

@antv/g2-ssr NPM version =0.0.8, =0.1.0, =0.0.1, =0.0.1, =1.0.0, =1.0.0, =1.0.2 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVG2SSR-16754434...