Supply Chain Compromise on  @antv being investigated for more than 300 packages in npm ecosystem

Update timeline

1. investigating May 19, 2026, 05:29 AM UTC

   Snyk is currently investigating a potential supply chain compromise. Current scope appears to be: over 630 malicious package versions across more than 315 unique packages, with AntV suite heavily impacted As an active investigation, this is subject to change. We are currently working on confirming the known scope and providing vulnerability advice, reporting, blog and trust centre updates Please subscribe to this incident for further updates as they become available. Links to additional resources will be provided here.

2. investigating May 19, 2026, 07:55 AM UTC

   Update: Snyk is continuing to investigate and respond to the ongoing supply chain compromise of @antv and other packages. Affected packages: Current findings indicate that multiple npm packages have been identified as affected, including packages within the @antv/* namespace and related packages outside the AntV namespace. Scope: Over 639 malicious package versions across more than 323 unique packages, with numbers subject to change Cause: Investigations indicate the issue was caused by a compromised npm maintainer account, enabling automated malicious package publishing. Immediate action you can take: -Review dependency trees and lockfiles for affected packages, including packages within the @antv/* namespace and additional impacted npm packages size-sensor, echarts-for-react, timeago.js., canvas-nest.js -Pin to pre-May 19 versions, run npm install --ignore-scripts, rotate all credentials. We will update here as soon as we have additional information or links

3. investigating May 19, 2026, 08:45 AM UTC

   The Snyk Trust Center has been updated.

4. investigating May 19, 2026, 08:51 AM UTC

   Customers can now assess potential impact in the Snyk app by visiting: Analytics → Reports → Zero-Day → Active Security Incident Assessment for Antv Supply Chain Compromise - May 2026 Please continue to refer to the Snyk Trust Center for the latest official updates and customer communications.

5. investigating May 19, 2026, 09:13 AM UTC

   Our blog post is now available: Mini Shai-Hulud Hits AntV

6. investigating May 19, 2026, 10:44 AM UTC

   The Compromised Packages list is now available at https://security.snyk.io/antv-supply-chain-compromise-may-2026

7. investigating May 19, 2026, 09:39 PM UTC

   We are continuing to investigate this issue.

8. resolved May 20, 2026, 02:57 PM UTC

   Customer Projects: This Status Page incident, “Supply Chain Compromise on AntV,” was opened to share customer-facing updates regarding a third-party compromise within the AntV ecosystem. Because AntV is a Snyk-supported ecosystem, we used this incident to alert customers that they may have projects using the affected package versions. Snyk Systems: Snyk’s security team has reviewed Snyk's systems, and there is no indication of compromise to Snyk systems, products, or infrastructure. As this issue does not impact the availability or operation of Snyk services, we are resolving this Status Page incident. Going forward, customer-facing updates, affected package information, and remediation guidance for this issue will be provided through the Snyk Trust Center and related security resources. Snyk will continue to monitor for additional related advisories and update customer-facing resources as needed.