Supply Chain Compromise on  @antv being investigated for more than 300 packages in npm ecosystem

Customer Projects: This Status Page incident, “Supply Chain Compromise on AntV,” was opened to share customer-facing updates regarding a third-party compromise within the AntV ecosystem. Because AntV is a Snyk-supported ecosystem, we used this incident to alert customers that they may have projects using the affected package versions.

Snyk Systems: Snyk’s security team has reviewed Snyk's systems, and there is no indication of compromise to Snyk systems, products, or infrastructure. As this issue does not impact the availability or operation of Snyk services, we are resolving this Status Page incident.

Going forward, customer-facing updates, affected package information, and remediation guidance for this issue will be provided through the Snyk Trust Center and related security resources. Snyk will continue to monitor for additional related advisories and update customer-facing resources as needed.

We are continuing to investigate this issue.

The Compromised Packages list is now available at https://security.snyk.io/antv-supply-chain-compromise-may-2026

Our blog post is now available: Mini Shai-Hulud Hits AntV

Customers can now assess potential impact in the Snyk app by visiting: Analytics → Reports → Zero-Day → Active Security Incident Assessment for Antv Supply Chain Compromise - May 2026

Please continue to refer to the Snyk Trust Center for the latest official updates and customer communications.

The Snyk Trust Center has been updated.

Update:
Snyk is continuing to investigate and respond to the ongoing supply chain compromise of @antv and other packages.

Affected packages: Current findings indicate that multiple npm packages have been identified as affected, including packages within the @antv/* namespace and related packages outside the AntV namespace.

Scope:  Over 639 malicious package versions across more than 323 unique packages, with numbers subject to change

Cause: Investigations indicate the issue was caused by a compromised npm maintainer account, enabling automated malicious package publishing.

Immediate action you can take:
-Review dependency trees and lockfiles for affected packages, including packages within the @antv/* namespace and additional impacted npm packages size-sensor, echarts-for-react, timeago.js., canvas-nest.js
-Pin to pre-May 19 versions, run npm install --ignore-scripts, rotate all credentials.

We will update here as soon as we have additional information or links

Current scope appears to be: over 630 malicious package versions across more than 315 unique packages, with the AntV suite heavily impacted.
This incident relates to compromised third-party open source packages in the npm ecosystem. There is no indication that Snyk systems, products, or infrastructure were compromised.
As an active investigation, this is subject to change.
We are currently working on confirming the known scope and providing vulnerability advice, reporting, blog, and Trust Center updates.
Please subscribe to this incident for further updates as they become available. Links to additional resources will be provided here.