This page summarizes the AntV npm supply chain compromise associated with the ongoing “Mini Shai-Hulud” campaign.
The incident involved compromised npm packages published under the @antv/* namespace, along with additional npm packages. The compromised packages reportedly included mechanisms for credential harvesting, GitHub-based exfiltration, and further supply-chain propagation via malicious package publishing. .
You can use this page to identify affected package versions and review recommended remediation actions.
For additional background and technical details, please refer to: “Snyk Blog Post”
Packages affected by zero-day vulnerabilities
Showing 30 of 323 • Page 1 of 11
- C
- C
- C
Embedded Malicious Code in @antv/g2 (npm)- C
Embedded Malicious Code in @antv/g2plot (npm)- C
Embedded Malicious Code in @antv/s2 (npm)- C
Embedded Malicious Code in @antv/li-p2 (npm)- C
Embedded Malicious Code in @antv/smart-color (npm)- C
Embedded Malicious Code in @antv/s2-react (npm)- C
Embedded Malicious Code in @antv/li-sdk (npm)- C
- C
Embedded Malicious Code in @antv/f6-alipay (npm)- C
Embedded Malicious Code in ribbon.js (npm)- C
- C
- C
- C
Embedded Malicious Code in @antv/torch (npm)- C
- C
- C
Embedded Malicious Code in @antv/g2-ssr (npm)- C
- C
Embedded Malicious Code in @antv/l7-map (npm)- C
- C
- C
Embedded Malicious Code in @antv/l7-pass (npm)- C
- C
- C
Embedded Malicious Code in @antv/g2-brush (npm)- C
Embedded Malicious Code in @antv/geo-coord (npm)- C
Embedded Malicious Code in @antv/gi-sdk-app (npm)- C
Page 1 of 11