Supply Chain Attack Floods npm With 600+ Malicious Packages
Threat actors unleashed over 600 poisoned packages on npm in a campaign dubbed Shai-Hulud, hitting the @antv ecosystem hardest.
A massive supply chain attack just slammed the npm registry. Threat actors pushed more than 600 malicious package versions to the Node Package Manager index in a coordinated assault known as the Shai-Hulud campaign.
The bulk of the damage landed in the @antv ecosystem, a popular collection of data visualization libraries. The attackers published corrupted versions of existing packages — a classic dependency confusion play designed to trick developers into pulling compromised code into their projects.
The scale here is notable. Six hundred packages in a single push signals serious automation and intent. For any team running @antv dependencies, auditing your lockfiles immediately isn't optional — it's urgent.
npm supply chain attacks keep escalating in both frequency and sophistication. This one's a reminder that the open source dependency model remains a fat target.