@antv Had 17 npm Publishers When It Was Compromised. That’s the Point.
Three attacks, three structural profiles, three different detection surfaces.
On May 20, 2026, Microsoft reported that @antv npm packages were compromised in the Mini Shai-Hulud campaign. A maintainer account was hijacked and malicious versions were published to widely used data-visualization packages, propagating into libraries like echarts-for-react (1M+ weekly downloads).
I ran the @antv packages through Commit’s behavioral audit. None scored CRITICAL. That surprised me for about ten seconds—then it clicked.
The @antv audit
| Package | Score | Publishers | Downloads/wk | Risk |
|---|---|---|---|---|
| @antv/g6 | 89 | 17 | 228K | — |
| @antv/g2 | 87 | 18 | 337K | — |
| @antv/x6 | 87 | 17 | 109K | — |
| @antv/l7 | 83 | 17 | 45K | — |
| @antv/s2 | 80 | 17 | 8K | — |
Seventeen publishers. Decent Scorecard scores. No CRITICAL flags.
The attack worked because one of those seventeen accounts was compromised. A single phished credential was enough. Behavioral signals that measure publisher concentration don’t catch this shape of attack—they catch a different one.
Three attacks in two weeks. Three different profiles.
May 2026 gave us three major npm compromises, each with a different structural fingerprint.
| Attack | Date | Publishers | Vector | Behavioral flag? |
|---|---|---|---|---|
| TanStack | May 11 | 5 | GitHub Actions OIDC token hijack | No — bypassed publisher layer |
| node-ipc | May 14 | 1 | Sole publisher credential theft | Yes — CRITICAL before attack |
| @antv | May 20 | 17 | Maintainer account compromise | No — multi-publisher dilutes risk |
node-ipc is the archetype of publisher concentration risk: one person, 10M+ downloads per week, one compromised credential away from a malicious publish reaching millions of machines. Commit flagged it CRITICAL months before the attack.
TanStack is a CI/CD pipeline attack. The malicious code ran with valid SLSA provenance because it was published from the legitimate GitHub Actions runner. Publisher count is irrelevant—the attack bypassed the registry entirely.
@antv sits between them. Multiple publishers should raise the cost of compromise (you need to phish one of seventeen accounts, not the only one). But “harder” is not “impossible.” One compromised account out of seventeen was enough.
No single signal catches everything
This is the uncomfortable truth that tool marketing usually avoids.
- Publisher concentration (what Commit measures) catches node-ipc-shaped attacks. Single point of failure, credential theft, massive blast radius. These are the attacks where the structural weakness is visible before the incident.
- Process security (OpenSSF Scorecard) catches CI/CD pipeline weaknesses. Dangerous workflows, missing branch protection, no code review. But axios scored 8.0/10 on Scorecard and was still attacked via credential theft.
- Behavioral analysis (Socket) catches malicious code patterns at install time. Obfuscated payloads, network calls, filesystem access. But only after the malicious version is published.
@antv had 17 publishers and a 4.3/10 Scorecard. TanStack had 5 publishers and valid SLSA. node-ipc had 1 publisher and no Scorecard at all.
Three attacks, three profiles, three different tools that would have been most useful. The fantasy of one tool to catch them all is marketing, not security.
What Commit does catch
Right now, these npm packages have one publisher and more than 10 million weekly downloads:
| Package | Downloads/wk | Publishers |
|---|---|---|
| minimatch | 562M | 1 |
| chalk | 413M | 1 |
| glob | 333M | 1 |
| cross-spawn | 190M | 1 |
| zod | 163M | 1 |
| lodash | 145M | 1 |
| axios | 109M | 1 |
| hono | 37M | 1 |
npm audit shows zero vulnerabilities for all of them. They’re working as intended. The risk isn’t in the code—it’s in the account that publishes the code.
When the next credential-theft attack hits npm, it will follow the node-ipc pattern, not the TanStack pattern. Behavioral signals will have flagged it. Process scores won’t have helped.
And when the next CI/CD attack hits, behavioral signals won’t help. Scorecard will.
Use both.
Check your own stack
npx proof-of-commitment --file package-lock.jsonOr scan directly: getcommit.dev/audit. Each result shows publisher count, Scorecard score, provenance status, and risk flags.
Open source on GitHub. Free CLI. Pro tier adds batch API, monitoring, and alerts.