68 matches found
MINI-M8RH-CPX6-QX3M
Bulletin has no description...
Malicious code in @antv/x6-plugin-selection (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
@antv/xflow (>=2.0.1 <=2.2.4), @antv/xflow-diff (=1.0.0) +63 more potentially affected by unknown CVE via @antv/x6-plugin-transform (>=2.1.7 <=2.1.8)
@antv/x6-plugin-transform NPM version =2.1.7, =2.0.1, =0.0.1, =0.0.2, =0.0.4, =0.0.3, =2.0.4, =0.0.27, =0.0.3, =0.0.2, =0.0.64 - @rxdrag/uml-editor =0.6.0 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-4111...
Malicious code in @antv/x6-vue3-shape (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
Malicious code in @antv/x6-plugin-dnd (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
@glorysoft/mcs_tool (>=0.0.25 <=0.0.28), @ithinkdt/lowcode (>=4.0.0 <=4.0.4) +13 more potentially affected by unknown CVE via @antv/x6 (=3.1.7)
@antv/x6 NPM version =3.1.7 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/x6 and may be impacted: - @glorysoft/mcstool =0.0.25, =4.0.0, =2.0.0, =0.7.0, =0.7.0, =0.14.0, =0.0.1, =1.0.0, =1.0.0, =0.0.1, =1.0.0, =1.0.0, =1.0.4 Source cves: unknown...
@widget-js/mindmap (>=0.0.1 <=0.0.5), gulf_web_scs (>=1.0.0 <=1.0.5) potentially affected by unknown CVE via @antv/x6-react-shape (=3.0.1)
@antv/x6-react-shape NPM version =3.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/x6-react-shape and may be impacted: - @widget-js/mindmap =0.0.1, =1.0.0, =1.0.5 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4114...
@aidps/canvas-flow (>=1.0.0 <=1.0.1), @antv/xflow (>=2.0.1 <=2.2.4) +59 more potentially affected by unknown CVE via @antv/x6-plugin-minimap (>=2.0.5 <=2.0.7)
@antv/x6-plugin-minimap NPM version =2.0.5, =1.0.0, =2.0.1, =0.0.1, =0.0.4, =0.6.0, =2.0.4, =3.0.0, =3.5.1-alpha.3, =0.0.3, =0.2.2, =0.2.1, =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-4106...
@antv/xflow (>=2.0.1 <=2.2.4), @antv/xflow-diff (=1.0.0) +42 more potentially affected by unknown CVE via @antv/x6-plugin-export (=2.1.6)
@antv/x6-plugin-export NPM version =2.1.6 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/x6-plugin-export and may be impacted: - @antv/xflow =2.0.1, =0.0.1, =0.0.1, =0.0.3, =0.6.1, =0.1.27, =0.1.1, =0.0.4, =2.0.4, =0.0.27, =3.0.0, =0.0.3, =0.3.2...
@aidps/canvas-flow (>=1.0.0 <=1.0.1), @antv/xflow (>=2.0.1 <=2.2.4) +76 more potentially affected by unknown CVE via @antv/x6-plugin-clipboard (=2.1.6)
@antv/x6-plugin-clipboard NPM version =2.1.6 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/x6-plugin-clipboard and may be impacted: - @aidps/canvas-flow =1.0.0, =2.0.1, =0.0.1, =0.0.2, =1.0.0-beta.46, =0.0.4, =0.0.3, =2.0.4, =0.0.27, =3.0.0,...
MAL-2026-4109 Malicious code in @antv/x6-plugin-snapline (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
MAL-2026-4115 Malicious code in @antv/x6-vector (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
MAL-2026-4104 Malicious code in @antv/x6-plugin-history (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
Malicious code in @antv/x6 (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
@aidps/canvas-flow (>=1.0.0 <=1.0.1), @antv/xflow (>=2.0.1 <=2.2.4) +113 more potentially affected by unknown CVE via @antv/x6-plugin-selection (>=2.0.0 <=2.2.2)
@antv/x6-plugin-selection NPM version =2.0.0, =1.0.0, =2.0.1, =0.0.1, =0.0.2, =1.0.0-beta.46, =0.0.4, =0.7.0, =0.0.3, =2.0.4, =0.0.27, =3.0.0, =4.0.0-600 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-4108...
@appthen/x6-plugins (=0.1.4), @arch-diagram/core (>=0.0.1 <=0.0.2) +48 more potentially affected by unknown CVE via @antv/x6-plugin-stencil (>=2.0.2 <=2.1.5)
@antv/x6-plugin-stencil NPM version =2.0.2, =0.0.1, =0.0.2, =0.0.3, =0.0.1, =0.0.3, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.17 - @xrhcc-flow/busiflow =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-4110...
@ithinkdt/lowcode (>=4.0.0 <=4.0.4), @nywqs/scada-engine (>=2.0.0 <=2.0.3) +2 more potentially affected by unknown CVE via @antv/x6-vue-shape (=3.0.2)
@antv/x6-vue-shape NPM version =3.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/x6-vue-shape and may be impacted: - @ithinkdt/lowcode =4.0.0, =2.0.0, =1.0.0, =1.0.54 - ems-desktop =1.0.8-202601151630 Source cves: unknown CVE Source advisory...
@aidps/canvas-flow (>=1.0.0 <=1.0.1), @antv/x6-plugin-stencil (>=2.1.4 <=2.1.5) +102 more potentially affected by unknown CVE via @antv/x6-plugin-dnd (>=2.0.4 <=2.1.1)
@antv/x6-plugin-dnd NPM version =2.0.4, =1.0.0, =2.1.4, =2.0.1, =0.0.1, =0.0.2, =0.0.4, =0.7.0, =0.0.3, =2.0.4, =0.0.27, =0.0.3, =0.3.24 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-4102...
MAL-2026-4117 Malicious code in @antv/x6-vue3-shape (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
MAL-2026-4099 Malicious code in @antv/x6-common (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...