How to Check for Impacted @antv Packages in Your SBOM

On May 19, 2026, a significant supply chain attack known as the Mini Shai-Hulud worm targeted npm packages, primarily affecting the TanStack packages and over 300 others, including popular ones like Alibaba's AntV suite and timeago.js. The attack involved publishing over 600 malicious versions using a compromised npm account, executing in two coordinated waves to extract CI/CD secrets from GitHub Actions runner memory and exfiltrate sensitive credentials through dual channels. This sophisticated worm used stolen tokens to propagate itself, leading to the creation of over 2,500 public GitHub repositories with a campaign marker in reverse, and it notably exploited CI/CD pipelines both as targets and propagation mechanisms. Organizations are advised to rotate all credentials, audit npm publish activities, and utilize tools like Arnica's SBOM and DepsGuard for real-time threat detection and to prevent install-time risks, ensuring that any affected or potentially compromised environments are swiftly secured against further breaches.