The npm account 'atool' (associated with GitHub user hustcc) was compromised, leading to malicious releases across 24 packages in a 10-minute window on May 19, 2026. The attacker targeted high-download packages including timeago.js (1.5M+ weekly downloads) and the AntV visualization ecosystem (packages like @antv/g6, @antv/g2, @antv/l7). The malicious code functions as a CI/CD credential stealer, targeting environments like GitHub Actions, GitLab CI, and Kubernetes-hosted pipelines that hold elevated cloud credentials. Affected packages are widely used in data engineering pipelines, financial dashboards, and enterprise React/Vue/Angular front-end builds.
Sort: