Malicious Code Found In AntV Packages

A supply chain attack has compromised popular @antv npm packages, aiming to steal credentials from developer CI/CD pipelines and cloud environments.

Microsoft's security team has identified an active supply chain attack within the npm package ecosystem, specifically targeting packages under the @antv scope. According to their investigation, a threat actor gained access to an @antv package maintainer's account. Using this access, the attacker published malicious versions of several widely used data-visualization libraries. The malicious code was concealed within a large, heavily obfuscated JavaScript file of approximately 499 KB, which was designed to execute silently in the background. This method allowed the malicious payload to go unnoticed while being integrated into various development projects.

The primary danger of this attack lies in its propagation through the software supply chain. Because the compromised @antv packages are dependencies for other popular libraries, the malicious code spread to a vast number of downstream projects. One notable example is the `echarts-for-react` package, which records over one million weekly downloads. By infecting such a popular library, the attackers significantly widened their reach. The ultimate goal of the malware is to compromise continuous integration and continuous delivery (CI/CD) pipelines and cloud environments. It actively seeks to steal credentials and other sensitive information, posing a serious risk to any organization whose development workflows rely on the affected packages.

This supply chain attack affects a widely used ecosystem, potentially exposing sensitive CI/CD credentials in thousands of downstream projects.

Compromised developer tools can lead to stolen cloud credentials, data breaches, and unauthorized access to critical infrastructure, posing a significant financial and reputational risk.