Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised
Source: News.Ycombinator
Published:
<p>The npm account atool ( [email protected] ) was compromised on May 19, 2026. The attacker published 637 malicious versions across 317 packages in a 22-minute automated burst. Affected packages include size-sensor (4.2M downloads/month), echarts-for-react (3.8M), @antv/scale (2.2M), timeago.js (1.