PANews posted on X (formerly Twitter). Security firm SlowMist has issued a warning about a supply chain attack affecting several commonly used npm packages, including AntV and Echarts-for-react, as well as Python package durabletask versions 1.4.1, 1.4.2, and 1.4.3. On May 19, attackers breached an npm account and within 22 minutes released 637 malicious versions across 317 packages.

Recent incidents involving a large-scale GitHub token leak and a ransomware attack on Grafana Labs are believed by SlowMist to be potentially linked to this supply chain attack. Developers whose projects rely on the affected packages are advised to immediately rotate all exposed credentials, replace the compromised package versions, and check for anomalies in their CI/CD pipelines.