On May 20, 2026, Microsoft reported that @antv npm packages were compromised in the Mini Shai-Hulud campaign. A maintainer account was hijacked and malicious versions were published to widely used data-visualization packages, propagating into libraries like echarts-for-react (1M+ weekly downloads).
I ran the @antv packages through Commit's behavioral audit. None scored CRITICAL. That surprised me for about ten seconds — then it clicked.
The @antv audit
| Package | Score | Publishers | Downloads/wk | Risk |
|---|---|---|---|---|
| @antv/g6 | 89 | 17 | 228K | — |
| @antv/g2 | 87 | 18 | 337K | — |
| @antv/x6 | 87 | 17 | 109K | — |
| @antv/l7 | 83 | 17 | 45K | — |
| @antv/s2 | 80 | 17 | 8K | — |
Seventeen publishers. Decent Scorecard scores. No CRITICAL flags.
The attack worked because one of those seventeen accounts was compromised. Behavioral signals that measure publisher concentration don't catch this shape of attack — they catch a different one.
Three attacks in two weeks. Three different profiles.
| Attack | Date | Publishers | Vector | Behavioral flag? |
|---|---|---|---|---|
| TanStack | May 11 | 5 | GitHub Actions OIDC token hijack | No — bypassed publisher layer |
| node-ipc | May 14 | 1 | Sole publisher credential theft | Yes — CRITICAL before attack |
| @antv | May 20 | 17 | Maintainer account compromise | No — multi-publisher dilutes risk |
node-ipc is the archetype of publisher concentration risk: one person, 10M+ downloads per week, one compromised credential away from a malicious publish reaching millions of machines. Commit flagged it CRITICAL months before the attack.
TanStack is a CI/CD pipeline attack. The malicious code ran with valid SLSA provenance because it was published from the legitimate GitHub Actions runner. Publisher count is irrelevant — the attack bypassed the registry entirely.
@antv sits between them. Multiple publishers raise the cost of compromise but don't eliminate it. One compromised account out of seventeen was enough.
No single signal catches everything
This is the uncomfortable truth that tool marketing usually avoids.
- Publisher concentration (what Commit measures) catches node-ipc-shaped attacks. Single point of failure, credential theft, massive blast radius.
- Process security (OpenSSF Scorecard) catches CI/CD pipeline weaknesses. But axios scored 8.0/10 on Scorecard and was still attacked.
- Behavioral analysis (Socket) catches malicious code patterns at install time. But only after the malicious version is published.
Three attacks, three profiles, three different tools. The fantasy of one tool to catch them all is marketing, not security.
What Commit does catch
Right now, these npm packages have one publisher and more than 10M weekly downloads:
| Package | Downloads/wk | Publishers |
|---|---|---|
| minimatch | 562M | 1 |
| chalk | 413M | 1 |
| glob | 333M | 1 |
| cross-spawn | 190M | 1 |
| zod | 163M | 1 |
| lodash | 145M | 1 |
| axios | 109M | 1 |
| hono | 37M | 1 |
npm audit shows zero vulnerabilities for all of them. When the next credential-theft attack hits npm, behavioral signals will have flagged it. Process scores won't have helped. And when the next CI/CD attack hits, behavioral signals won't help. Scorecard will. Use both.
Check your own stack
npx proof-of-commitment --file package-lock.json
Or scan directly: getcommit.dev/audit.
Open source on GitHub. Pro tier adds batch API, monitoring, and alerts.
Top comments (0)