The npm ecosystem has been rocked by a major supply chain attack, compromising hundreds of JavaScript packages associated with the @antv data visualization library. This widespread breach, which occurred on May 19, 2026, has affected millions of developers globally by inserting malicious code into popular packages.
Scope of the npm Breach
The attack was orchestrated through a compromised npm maintainer account, ‘atool’, which was used to distribute infected versions of well-known packages. Notably, the widely-used echarts-for-react package, which records about 1.1 million weekly downloads, was among the impacted packages. The breach extended beyond @antv packages, affecting other unrelated packages like timeago.js and canvas-nest.js, marking it as one of the largest incidents in recent npm history.
Detection and Analysis
Researchers at Socket.dev quickly identified the malicious activity, categorizing affected versions as malware within minutes of their release. According to a report shared with Cyber Security News (CSN), 639 compromised package versions were detected across 323 unique packages during what was termed the ‘5/19 Mini Shai-Hulud wave’. The broader campaign tracked by Socket.dev includes 1,055 versions spanning npm, PyPI, and Composer registries, with the npm ecosystem bearing the brunt of the attack.
Technical Details and Impact
The malicious code is linked to the Mini Shai-Hulud malware family and is designed to execute payloads during package installation. It employs a sophisticated encryption scheme to conceal data exfiltration, targeting sensitive developer and CI/CD environment information like GitHub tokens and AWS credentials. If a GitHub token is acquired, the malware can use GitHub’s infrastructure for data exfiltration, making detection challenging. Approximately 1,900 repositories associated with this campaign have been identified, employing Dune-themed names as identification markers.
Organizations affected by this breach should immediately review and audit package updates from the @antv and related npm namespaces. Rotating credentials and scrutinizing CI/CD logs for unauthorized GitHub activity are strongly recommended to mitigate potential damage.
Indicators of Compromise (IoCs) have been shared to assist in identifying affected systems. These include specific domains, URLs, and GitHub repository patterns linked to the attack. Developers are urged to stay vigilant and secure their environments against further threats.
Stay updated on the latest developments by following us on Google News, LinkedIn, and X. Make CSN your preferred news source on Google for immediate updates.
