[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHJJSpJ8D8DZfe3NsY6HbChFQpOyO--v1351DGmlGgr8":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"97dcf86d-1f79-4cb3-b31a-6da8160808f7","Active Supply Chain Attack Compromises @antv Packages on npm","active-supply-chain-attack-compromises-antv-packages-on-npm-6706c3","Socket’s Threat Research team is investigating an active npm supply chain attack involving compromised packages in the @antv ecosystem. The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly downloads. Socket quickly detected the malicious publish wave and classified the affected versions as known malware. Socket’s internal review identified hundreds of unique packages. The pattern matches Mini Shai-Hulud, a high-volume npm compromise pattern involving coordinated malicious publishes across packages tied to a compromised maintainer account. The affected package set includes widely used @antv packages such as @antv\u002Fg2, @antv\u002Fg6, @antv\u002Fx6, @antv\u002Fl7, @antv\u002Fs2, @antv\u002Ff2, @antv\u002Fg, @antv\u002Fg2plot, @antv\u002Fgraphin, and @antv\u002Fdata-set, along with related packages outside the @antv namespace, including echarts-for-react, timeago.js, size-sensor, canvas-nest.js, and others. The potential blast radius is significant because the affected publishing account is connected to widely used packages across data visualization, graphing, mapping, charting, and React component ecosystems. Even if only a subset of those packages received malicious updates, the popularity of the package ecosystem creates meaningful downstream exposure for organizations that automatically pull new dependency versions. That scale makes this one of the larger npm supply chain incidents Socket has investigated recently. This is a developing story. Socket is continuing to investigate the full scope of the compromise and will update this post as additional affected packages, versions, and payload details are confirmed. Recommended Action # Developers and security teams should immediately review recent installs and lockfiles for packages in the @antv ecosystem and packages published by atool. Affected Packages # Unknown block type \"supplyChainAttackPackages\", specify a component for it in the `components.types` option","Socket detected an active supply chain attack compromising the atool npm maintainer account, resulting in malicious publishes across the @antv ecosystem and related packages. Affected packages include widely-used libraries like echarts-for-react (1.1M weekly downloads), @antv\u002Fg2, @antv\u002Fg6, @antv\u002Fx6, and others totaling hundreds of unique compromised packages. The attack pattern matches Mini Shai-Hulud, a known high-volume npm compromise technique, creating significant downstream exposure for organizations with auto-updating dependencies.","Compromised npm maintainer account spreads malware across @antv visualization packages with 1M+ weekly downloads.","Research\u002FSecurity NewsTrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.ioTrapDoor crypto stealer hits 36 malicious packages across npm, PyPI, and Crates.io, targeting crypto, DeFi, AI, and security developers.By Socket Research Team - May 24, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fantv-packages-compromised?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002Fe24a7f4437ee577d2d69db1e54b2cdc6f3cfe1b3-1072x741.png?w=1000&q=95&fit=max&auto=format","2026-05-19T02:49:34.652+00:00","2026-05-19T04:00:11.331321+00:00",9,[18,21,24,27,29,31],{"name":19,"type":20},"atool (compromised maintainer account)","threat_actor",{"name":22,"type":23},"Mini Shai-Hulud","campaign",{"name":25,"type":26},"echarts-for-react","product",{"name":28,"type":26},"@antv\u002Fg2",{"name":30,"type":26},"@antv\u002Fg6",{"name":32,"type":26},"@antv\u002Fx6","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":33,"icon":35,"name":36,"slug":37},null,"Supply Chain","supply-chain",[39,44,49],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[55],{"type":43,"value":22,"context":56},"High-volume npm compromise pattern involving coordinated malicious publishes across packages tied to compromised maintainer accounts"]