MAL-2026-4048 Malicious code in @antv/l7-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/l7 (>=2.1.13 <=2.25.10), @antv/l7-draw (>=2.1.13 <=2.1.14) +6 more potentially affected by unknown CVE via @antv/l7-renderer (>=2.10.0 <=2.25.9)

@antv/l7-renderer NPM version =2.10.0, =2.1.13, =2.1.13, =2.10.0, =2.1.13, =2.1.13, =2.10.0, =1.0.0, =1.0.17, =1.0.18 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVL7RENDERER-16754403...

@antv/chartshaper (>=1.2.0-beta.0 <=1.2.0-beta.3), @antv/dipper-map (>=1.0.1 <=1.0.10) +14 more potentially affected by unknown CVE via @antv/l7-react (=2.4.3)

@antv/l7-react NPM version =2.4.3 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/l7-react and may be impacted: - @antv/chartshaper =1.2.0-beta.0, =1.0.1, =0.6.1, =2.3.70, =1.0.1, =1.0.0, =1.0.0, =1.0.2, =1.0.14 and more Source cves: unknown CVE...