npm: 40 @antv/ Packages Compromised in Coordinated Supply-Chain Attack

Key findings

• 30 of 40 malicious packages belong to the @antv/ scope, a popular visualization library family
• All 40 advisories were published simultaneously on May 19, 2026 — a coordinated takedown
• Affected packages include long-established libraries with 38k–82k weekly downloads each
• Each package had two malicious versions published (original + bumped minor version)
• OSSF analysis flagged post-install command execution; IOC domain: canvas-nest.js
• Non-scoped packages (uri-parse, canvas-nest.js, jest-expect) were also compromised in the same burst

Coordinated Compromise of the @antv/ Ecosystem

On May 19, 2026, security researchers disclosed 40 malicious packages on npm in a single coordinated takedown event — every advisory published at the same instant. The overwhelming majority of the compromised packages belong to the @antv/ scope, a widely used family of data visualization libraries maintained by Ant Group (Ant Financial). The burst also included several popular un-scoped packages such as uri-parse, canvas-nest.js, boring-avatars-vanilla, jest-expect, and babel-plugin-version, suggesting a broad, opportunistic campaign rather than a single-target breach.

The @antv/ Campaign Signature

Thirty of the 40 malicious packages carry the @antv/ scope, including @antv/g-webgl, @antv/g-plugin-canvas-renderer, @antv/l7-core, @antv/l7-maps, @antv/x6, @antv/util, and @antv/component. These are not typosquats — they are the *actual* package names of legitimate, long-established visualization libraries. Many of these packages have been on the registry for years:

• @antv/g-plugin-canvas-renderer — first published June 2021, now 54k weekly downloads
• @antv/g-webgpu-engine — first published June 2020, now 82k weekly downloads
• @antv/l7-core — first published November 2019, now 38k weekly downloads
• @antv/x6 — first published years ago, a core diagram library
• @antv/util — a foundational utility package with broad downstream dependency

The non-scoped packages in the burst are equally notable: uri-parse (first published 2017, 2.4k weekly downloads), canvas-nest.js (a popular visual-effect library), jest-expect (a name that could be mistaken for a Jest testing utility), and babel-plugin-version. The mix of scoped and un-scoped packages, all with established publishing histories, points to a credential-compromise scenario rather than fresh typosquat registration.

Malicious Behavior: Post-Install Payloads

OpenSSF Package Analysis flagged the malicious versions for executing commands during package installation. The behavioral findings indicate that the compromised versions — each published as a minor version bump (e.g., @antv/g-webgl jumped from 2.2.1 to 2.3.1) — contained post-install scripts that communicated with external infrastructure. The domain canvas-nest.js was extracted as an IOC from the behavioral analysis, suggesting the attacker reused infrastructure associated with that package name.

The pattern is consistent across the burst: each package had two malicious versions published — the original legitimate version number plus a bumped successor (e.g., 1.1.0 → 1.2.0, 2.2.1 → 2.3.1). This indicates the attacker published the malware twice, possibly to evade initial detection or to ensure persistence if one version was quickly removed.

Severity and Impact

The GitHub Security Advisories (GHSA) for these packages carry the standard critical-severity warning: any computer that installed a malicious version should be considered fully compromised. Attackers who gain code execution during npm install can exfiltrate environment variables (including npm tokens, cloud credentials, and API keys), install persistent backdoors, and pivot into CI/CD pipelines. Given that several of the affected @antv/ packages have tens of thousands of weekly downloads — @antv/g-webgpu-engine at 82k/week, @antv/l7-core at 38k/week, @antv/g-plugin-canvas-renderer at 54k/week — the blast radius is substantial. Organizations using AntV visualization libraries in production dashboards, geospatial applications, or diagram editors should treat this as an active incident.

Detection and Remediation

Developers and security teams should immediately audit their package-lock.json, yarn.lock, or pnpm-lock.yaml for any of the following package names at the malicious version ranges:

@antv/g-webgl >=2.3.1 @antv/g-webgpu-engine >=0.9.2 @antv/l7-core >=2.27.10 @antv/l7-maps >=2.27.10 @antv/g-plugin-canvas-renderer >=2.7.1 @antv/x6 >=3.3.7 @antv/util >=3.5.11 uri-parse >=1.2.0 canvas-nest.js >=2.2.4 jest-expect >=0.2.1 babel-plugin-version >=0.4.3

If any match is found, treat the environment as compromised: rotate all secrets, npm tokens, and cloud credentials from a trusted, isolated machine. Check npm access logs for unauthorized publish events originating from your organization's tokens. Pin affected packages to the last known-safe version (the version *before* the malicious bump) until the maintainers publish clean releases.

Broader Context

This burst represents one of the largest coordinated compromises of a single npm scope in recent memory. The targeting of the @antv/ ecosystem — a mature, widely adopted visualization framework — mirrors the playbook seen in other supply-chain attacks where attackers compromise maintainer accounts of popular packages to inject malware into downstream consumers. The simultaneous publication of 40 advisories suggests a coordinated takedown by the npm security team or the Ant Group security team after discovering the breach. The inclusion of unrelated un-scoped packages (uri-parse, canvas-nest.js, jest-expect) in the same takedown batch hints that the attacker may have compromised a shared credential or token that had publish access across multiple packages, or that the security team swept up all packages associated with the same C2 infrastructure in a single enforcement action.