MAL-2026-4080 Malicious code in @antv/s2-ssr (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4079 Malicious code in @antv/s2-react-components (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4078 Malicious code in @antv/s2-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4081 Malicious code in @antv/s2-vue (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/g-canvas (>=2.0.0 <=2.0.52), @antv/g-canvaskit (>=1.0.0 <=1.0.51) +11 more potentially affected by unknown CVE via @antv/g-plugin-dom-interaction (>=2.0.0 <=2.1.9)

@antv/g-plugin-dom-interaction NPM version =2.0.0, =2.0.0, =1.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.56 - @antv/g6 =5.0.46 - @antv/g6-extension-3d =0.1.20 - @antv/s2 =2.4.12-alpha.1 Source cves: unknown CVE Source advisory:...

@antv/gpt-vis-ssr (>=0.3.4 <=0.3.8), @tiangong-ai/vis-server (>=0.0.1 <=0.0.5) potentially affected by unknown CVE via @antv/s2-ssr (>=0.0.2 <=0.1.1)

@antv/s2-ssr NPM version =0.0.2, =0.3.4, =0.0.1, =0.0.5 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVS2SSR-16755111...

@antv/gpt-vis-ssr (>=0.3.4 <=0.3.8), @tiangong-ai/vis-server (>=0.0.1 <=0.0.5) potentially affected by unknown CVE via @antv/s2-ssr (>=0.0.2 <=0.1.1)

@antv/s2-ssr NPM version =0.0.2, =0.3.4, =0.0.1, =0.0.5 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVS2SSR-16754942...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

@antv/gpt-vis (>=0.6.0 <=0.6.1), @antv/gpt-vis-ssr (>=0.3.4 <=0.3.8) +17 more potentially affected by unknown CVE via @antv/s2 (>=2.0.0-next.25 <=2.7.1)

@antv/s2 NPM version =2.0.0-next.25, =0.6.0, =0.3.4, =0.0.1, =1.0.0-alpha18, =0.5.63, =0.5.66, =0.0.1, =0.1.1, =0.0.21, =1.0.5, =0.0.1-alpha.0, =0.0.1-beta.3 - qbi-charts =1.0.17 and more Source cves: unknown CVE Source advisory: SNYK:JS-ANTVS2-16754353...

@antv/g-canvas (>=2.0.0 <=2.0.52), @antv/g-canvaskit (>=1.0.0 <=1.0.51) +9 more potentially affected by unknown CVE via @antv/g-plugin-html-renderer (>=2.0.0 <=2.3.1)

@antv/g-plugin-html-renderer NPM version =2.0.0, =2.0.0, =1.0.0, =1.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.56 - @antv/g6 =5.0.46 - @antv/g6-extension-3d =0.1.20 - @antv/s2 =2.4.12-alpha.1 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGPLUGINHTMLRENDERER-16754947...

@binarysee/widgets (=1.0.5), @binlove/widgets (=1.0.5) potentially affected by unknown CVE via @antv/s2-react (=2.0.0-next.28)

@antv/s2-react NPM version =2.0.0-next.28 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/s2-react and may be impacted: - @binarysee/widgets =1.0.5 - @binlove/widgets =1.0.5 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVS2REACT-16754376...

qbi-charts (=1.0.17), shuyi-charts (>=1.1.1 <=1.1.27) potentially affected by unknown CVE via @antv/s2-vue (=2.2.0)

@antv/s2-vue NPM version =2.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/s2-vue and may be impacted: - qbi-charts =1.0.17 - shuyi-charts =1.1.1, =1.1.27 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVS2VUE-16754366...