The world’s largest open-source registry, node package manager (npm), has been hit by another fast-moving malware attack, this time targeting the widely-used AntV enterprise data visualization tool.
Unlike last week’s high-profile npm attack on TanStack, which exploited a complex GitHub Actions cache poisoning weakness, the latest incident early on May 19 took the more conventional route of compromising the credentials of a high-value npm maintainer account.
According to analysis by SafeDep, the account in question, atool ([email protected]), which publishes the timeago.js JavaScript library, had rights to a large catalog of packages, including popular tools such as size-sensor (4.2 million download...