Supply Chain Compromise on  @antv being investigated for more than 300 packages in npm ecosystem

We are continuing to investigate this issue.

The Compromised Packages list is now available at <a href="https://security.snyk.io/antv-supply-chain-compromise-may-2026">https://security.snyk.io/antv-supply-chain-compromise-may-2026</a>

Our blog post is now available: <a href="https://snyk.io/blog/mini-shai-hulud-antv-npm-supply-chain-attack/">Mini Shai-Hulud Hits AntV</a>

Customers can now assess potential impact in the Snyk app by visiting: Analytics → Reports → Zero-Day → Active Security Incident Assessment for Antv Supply Chain Compromise - May 2026

Please continue to refer to the <a href="https://trust.snyk.io/updates">Snyk Trust Center</a> for the latest official updates and customer communications.

The <a href="https://trust.snyk.io/updates">Snyk Trust Center</a> has been updated.

Update:
Snyk is continuing to investigate and respond to the ongoing supply chain compromise of @antv and other packages.

Affected packages: Current findings indicate that multiple npm packages have been identified as affected, including packages within the @antv/* namespace and related packages outside the AntV namespace.

Scope:  Over 639 malicious package versions across more than 323 unique packages, with numbers subject to change

Cause: Investigations indicate the issue was caused by ...

Current scope appears to be: over 630 malicious package versions across more than 315 unique packages, with the AntV suite heavily impacted.
This incident relates to compromised third-party open source packages in the npm ecosystem. There is no indication that Snyk systems, products, or infrastructure were compromised.
As an active investigation, this is subject to change.
We are currently working on confirming the known scope and providing vulnerability advice, reporting, blog, and Trust Cen...