An ongoing active supply chain attack has hit several popular npm ecosystems. Attackers have published malicious code to 639 versions across 323 packages in the @antv npm ecosystem.
@antv is a widely used data visualization library. Because these packages are widely used as dependencies, the compromise impacted multiple downstream libraries, including echarts-for-react, a popular React wrapper for Apache ECharts with over one million weekly downloads.
Several of the affected packages have millions of weekly downloads, including size-sensor (4.2 million), echarts-for-react (3.8 million), @antv/scale (2.2 million), timeago.js (1.15 million), @antv/path-util (1.1 million), @antv/g (one million), and @antv/g-svg (975,000).
Threat researchers at Socket Security brought attention to the attack, writing in an advisory: “The potential blast radius is significant because the affected publishing account is connected to widely used packages across data visualization, graphing, mapping, charting, and React component ecosystems.”
Socket detected most of the malicious activity within six to 12 minutes of publication, with a median detection time of about 6.7 minutes.
“Even if only a subset of those packages received malicious updates, the popularity of the package ecosystem creates meaningful downstream exposure for organizations that automatically pull new dependency versions,” Socket wrote.
The attack was not isolated. The pattern of the attack matches Mini Shai-Hulud, a malware family which has been spreading through npm since late 2025.
The malware exhibited worm-like behavior: it validated stolen npm tokens, injected the payload, and republished under the compromised maintainer identity.
Over 2,000 public GitHub repos were using the reversed Shai-Hulud marker and Dune-themed names, showing the fallback path is active at scale.
The Bigger Picture
Earlier this week, threat researchers at StepSecurity found that popular GitHub Action “actions-cool/issues-helper” (used in thousands of CI/CD workflows) had its version tags redirected to point at malicious “imposter commits”.
“Because every tag now resolves to malicious commits, any workflow that references the action by version pulls the malicious code on its next run. Only workflows pinned to a known-good full commit SHA are unaffected,” threat researcher Varun Sharma said.
Threat researchers at SafeDep found that the malware also targets AI coding tools (Claude Code, GitHub Copilot/Codex, VS Code), Docker environments, and uses GitHub itself as a command-and-control (C2) channel, making it much harder to detect with traditional security tooling.
Both attacks share the same exfiltration domain (t.m-kosche[.]com). Socket’s head of threat intelligence Philipp Burckhardt told The Hacker News the overlap is “strong enough that we’re treating them as related,” though researchers are still investigating the exact initial access path.
How To Stay Protected
Microsoft Threat Intelligence has recommended teams to audit dependencies for affected packages and downgrade to known good versions. If packages have been affected, revoke and rotate any exposed credentials.
Teams should also validate the integrity of CI pipelines and recent build artifacts. Stolen artifacts are being exfiltrated over HTTPS to t.m-kosche[.]com:443. Teams should block this connection egress and review network logs for outbound connections.
