Malicious code in @antv/g6-extension-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@ant-design/graphs (>=2.0.0 <=2.0.4), @antv/g6-extension-react (>=0.0.1 <=0.1.19) potentially affected by unknown CVE via @antv/react-g (=2.1.1)

@antv/react-g NPM version =2.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/react-g and may be impacted: - @ant-design/graphs =2.0.0, =0.0.1, =0.1.19 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4076...

@antv/f-charts (=0.0.0), @antv/f2 (>=5.0.27 <=5.14.0) +7 more potentially affected by unknown CVE via @antv/f-lottie (=1.10.0)

@antv/f-lottie NPM version =1.10.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/f-lottie and may be impacted: - @antv/f-charts =0.0.0 - @antv/f2 =5.0.27, =5.0.0-alpha.1, =5.0.0-alpha.1, =5.0.1, =0.1.6, =0.9.5 Source cves: unknown CVE Source...

@antv/f2-react (>=5.0.19 <=5.14.0), @antv/f2-site (=5.0.0-alpha.1) potentially affected by unknown CVE via @antv/f-react (=1.10.0)

@antv/f-react NPM version =1.10.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/f-react and may be impacted: - @antv/f2-react =5.0.19, =5.14.0 - @antv/f2-site =5.0.0-alpha.1 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3885...

@luo-luo/material (>=0.0.1 <=0.0.5-alpha), @yccw/common (>=0.5.85-1 <=2.0.64) +4 more potentially affected by unknown CVE via @antv/g6-react-node (>=1.4.4 <=1.4.8)

@antv/g6-react-node NPM version =1.4.4, =0.0.1, =0.5.85-1, =1.3.0, =1.5.0 - yccw-common =0.5.85 - zzcom =1.0.0 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3995...

MAL-2026-4112 Malicious code in @antv/x6-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4048 Malicious code in @antv/l7-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/g6-react-node (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/ava (=3.6.0-alpha.0), @antv/g (>=6.0.0 <=6.2.1) +6 more potentially affected by unknown CVE via @antv/g-camera-api (>=2.0.0 <=2.0.9)

@antv/g-camera-api NPM version =2.0.0, =6.0.0, =0.5.9, =2.0.0, =1.2.5, =1.2.6 - expression-language-editor =0.0.4 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3910...

Malicious code in echarts-for-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/chartshaper (>=1.2.0-beta.0 <=1.2.0-beta.3), @antv/dipper-map (>=1.0.1 <=1.0.10) +14 more potentially affected by unknown CVE via @antv/l7-react (=2.4.3)

@antv/l7-react NPM version =2.4.3 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/l7-react and may be impacted: - @antv/chartshaper =1.2.0-beta.0, =1.0.1, =0.6.1, =2.3.70, =1.0.1, =1.0.0, =1.0.0, =1.0.2, =1.0.14 and more Source cves: unknown CVE...

@abtnode/ux (>=1.16.40 <=1.17.12-beta-20260422-093007-b389a838), @ada-lc/echarts-materials (>=0.0.1 <=0.0.2) +492 more potentially affected by unknown CVE via echarts-for-react (>=3.0.0-beta.2 <=3.0.6)

echarts-for-react NPM version =3.0.0-beta.2, =1.16.40, =0.0.1, =0.1.0, =0.0.2-7.1, =0.1.1, =1.0.0, =1.0.0, =1.0.0, =1.3.5-beta.937, =1.0.8-alpha, =3.34.0, =0.1.10, =1.0.5, =0.2.0, =0.4.5-next.0 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-4132...

@antv/f2-site (=5.0.0-alpha.1) potentially affected by unknown CVE via @antv/f2-react (=5.14.0)

@antv/f2-react NPM version =5.14.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/f2-react and may be impacted: - @antv/f2-site =5.0.0-alpha.1 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3895...

MAL-2026-4132 Malicious code in echarts-for-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@agentscope-ai/chat (>=1.1.43 <=1.1.63-beta.1778041790294), @ant-design/charts (>=2.2.2 <=2.6.7) +62 more potentially affected by unknown CVE via @antv/g6-extension-react (>=0.1.19 <=0.2.7)

@antv/g6-extension-react NPM version =0.1.19, =1.1.43, =2.2.2, =2.0.0, =1.0.0, =0.1.0, =0.1.0, =1.2.0, =2.0.28, =0.0.18, =2.0.4, =0.0.2, =0.3.64, =0.7.0 - @jackiekim/my-component-library-test =0.1.2 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3989...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...