Malicious code in @antv/l7-draw (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2025-37017 Malicious code in toledo-chess (npm)

The package toledo-chess was found to contain malicious code...