Supply ChainMay 19, 2026

Active Supply Chain Attack Compromises @antv Packages on npm

Compromised npm maintainer account spreads malware across @antv visualization packages with 1M+ weekly downloads.

Summary

Socket detected an active supply chain attack compromising the atool npm maintainer account, resulting in malicious publishes across the @antv ecosystem and related packages. Affected packages include widely-used libraries like echarts-for-react (1.1M weekly downloads), @antv/g2, @antv/g6, @antv/x6, and others totaling hundreds of unique compromised packages. The attack pattern matches Mini Shai-Hulud, a known high-volume npm compromise technique, creating significant downstream exposure for organizations with auto-updating dependencies.

Full text

Research/Security NewsTrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.ioTrapDoor crypto stealer hits 36 malicious packages across npm, PyPI, and Crates.io, targeting crypto, DeFi, AI, and security developers.By Socket Research Team - May 24, 2026

Indicators of Compromise

malware — Mini Shai-Hulud

Entities

atool (compromised maintainer account) (threat_actor)Mini Shai-Hulud (campaign)echarts-for-react (product)@antv/g2 (product)@antv/g6 (product)@antv/x6 (product)