On May 19, 2026, Socket’s Threat Research team flagged a coordinated malicious publish wave across the AntV npm namespace. The attack entered through a single hijacked account: atool, a shared maintainer identity with publish access across the AntV visualization ecosystem. Socket attributes the campaign to TeamPCP, the group behind a string of recent npm compromises.
The AntV libraries are used widely in enterprise dashboards and data-intensive interfaces. antv/g2 and antv/g6 together see millions of weekly downloads. echarts-for-react, also caught in the publish wave, sits at roughly 1.1 million installs per week. Any install run against a compromised version inside a CI environment or on a developer machine with live cloud credentials is precisely the scenario this attack was designed to exploit.
How the attack works
When a compromised version is installed, a preinstall hook fires before your build starts. The hook fetches a platform-appropriate Bun runtime from GitHub Releases and immediately executes an approximately 11.7 MB obfuscated JavaScript payload. The obfuscation is heavy enough that static analysis tools do not flag it on sight; the payload only reveals itself at runtime.
The payload profiles the execution environment and begins harvesting. The target list is broad: SSH keys, AWS and GCP credential files, Kubernetes configs, GitHub and npm tokens, HashiCorp Vault tokens, and configuration files from AI tooling. Collected material is encrypted with RSA-OAEP-4096 and AES-256-GCM before it leaves the machine. Exfiltration runs across three redundant channels: the domain filev2.getsession[.]org (Session Protocol infrastructure), attacker-controlled repositories reached via GitHub’s GraphQL API using stolen tokens, and the typosquat domain git-tanstack[.]com.
If the malware acquires a GitHub token with sufficient permissions, it plants persistence. Hooks are inserted into Claude Code and VS Code configurations, a gh-token-monitor service is installed, and malicious GitHub Actions workflows serialize repository secrets to api.masscan[.]cloud. The campaign also carries a dead-man’s switch: the npm token used for the malicious publishes is described as “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.” Revocation triggers rm -rf ~/ on the affected machine.
What was affected
The atool account had publish access across a wide slice of the AntV namespace. Socket identified hundreds of unique package versions caught in the wave. Confirmed affected packages include:
antv/g2. Grammar-of-graphics charting library. Millions of weekly downloads.antv/g6. Graph and network visualization.antv/x6. Node-based diagramming and flowchart tooling.antv/l7. Geospatial and map visualization.antv/s2. Spreadsheet-style data table renderer.antv/f2,antv/g,antv/g2plot,antv/graphin,antv/data-set. Additional packages across the AntV rendering and data stack.echarts-for-react. Approximately 1.1 million weekly downloads. Maintained by the same atool account outside the AntV namespace.timeago.js,size-sensor,canvas-nest.js. Utility packages also published under the atool account.
Compromised version list
Every entry below was published on May 19, 2026 and is confirmed malicious. Versions predating that date are clean. For echarts-for-react, three separate version bumps were pushed on the same day, so even apparent patch releases (3.0.7) are compromised — the last safe release is 3.0.6.
| Package | Compromised versions | Last safe version |
|---|---|---|
| @antv/g2 | 5.5.8, 5.6.8 | ≤ 5.4.8 |
| @antv/g6 | 5.2.1, 5.3.1 | < 5.2.1 |
| @antv/x6 | 3.2.7, 3.3.7 | < 3.2.7 |
| @antv/g2plot | 2.5.35, 2.6.35 | < 2.5.35 |
| @antv/s2 | 2.8.1, 2.9.1 | < 2.8.1 |
| @antv/f2 | 5.15.0, 5.16.0 | < 5.15.0 |
| @antv/graphin | 3.1.5, 3.2.5 | < 3.1.5 |
| @antv/data-set | 0.12.8, 0.13.8 | < 0.12.8 |
| @antv/g | 6.4.1, 6.5.1 | < 6.4.1 |
| @antv/l7 | 2.26.10, 2.27.10 | < 2.26.10 |
| @antv/graphlib | 2.1.4, 2.2.4 | < 2.1.4 |
| echarts-for-react | 3.0.7, 3.1.7, 3.2.7 | ≤ 3.0.6 |
| timeago.js | 4.1.2, 4.2.2 | < 4.1.2 |
| timeago-react | 3.1.7, 3.2.7 | < 3.1.7 |
| size-sensor | 1.1.4, 1.2.4 | < 1.1.4 |
| canvas-nest.js | 2.1.4, 2.2.4 | < 2.1.4 |
This list covers the highest-impact packages. The full wave touched over 300 versions across the AntV namespace, including deeper sub-packages (@antv/g-plugin-*, @antv/l7-*, @antv/x6-plugin-*, and others). Any version of any AntV-namespaced package published on May 19, 2026 should be treated as suspect until individually verified.
What makes this incident notable
A single hijacked maintainer account was enough to expose an entire visualization namespace. The AntV ecosystem spans dozens of packages under the same publisher identity, so compromising atool gave the attacker a publish path to all of them simultaneously, regardless of how well any individual package was otherwise maintained.
echarts-for-react is also worth calling out separately. It does not sit in the AntV namespace, which means developers who scoped their audit to AntV packages alone would miss it. The attacker did not need to compromise a separate account to reach that package. Shared maintainer identities create blast radii that namespace filtering cannot contain.
What teams should do
Start with your lock files and any CI runs from May 19, 2026 onward. Socket has published an active list of affected versions. Compare it against your full resolved dependency tree, not just your direct dependencies.
- Audit lock files. Search for any AntV package,
echarts-for-react,timeago.js,size-sensor, orcanvas-nest.jsversion published on or after May 19, 2026. If found, treat that installation and any credentials accessible from it as compromised. - Rotate credentials immediately. If a potentially compromised install ran in a CI environment or on a machine with live cloud credentials, rotate those credentials now. Do not wait for forensic confirmation.
- Check for persistence. Look for unexpected entries in VS Code or Claude Code hook configurations, any unfamiliar
gh-token-monitorservices, and new GitHub Actions workflows in repositories that have npm publish access. - Check transitive dependencies. You may not depend on AntV packages directly, but a charting component or UI kit you use might. Trace the full resolved tree in every affected repository.
- Pin clean versions. Safe versions for AntV packages are those published before May 19, 2026. The npm release history for each package shows exact publish timestamps. Do not rely on the
latesttag until npm has confirmed the malicious versions are unpublished.
TeamPCP has moved through npm ecosystems in rapid succession, each time entering through a different compromised account. The question for teams is not whether they were hit by one specific incident, but whether they can answer that question for all of them quickly. Teams that have their full dependency graph mapped before an incident lands can scope the blast radius in minutes. Teams that trace manually spend that time on triage instead of remediation. Knowing what you install, and from whom, is the preparation that makes the difference.