Skip to main content
Back to Blog
Threat Intel

Compromised atool npm Account Delivers CI/CD Credential Stealer Across 24 Packages (echarts-for-react package, timeago.js)

The npm account atool (email i@hust.cc, associated with hustcc on GitHub — author of timeago.js and a maintainer of the AntV visualization ecosystem) was compromised. The attacker published two waves of malicious releases across 24 packages in a 10-minute window on 2026-05-19.
Sai Likhith

May 19, 2026

Table of Contents
Loading nav...

Background: The atool npm Account and Affected Ecosystems

The npm account atool (email i@hust.cc) is the primary publisher of timeago.js, a JavaScript library for relative time formatting (e.g., "3 hours ago") with over 1.5 million weekly downloads. The same account is a member of the AntV maintainer team — Alibaba's open-source data visualization ecosystem that powers graph visualization (@antv/g6), 2D rendering (@antv/g), charting (@antv/g2, @antv/g2plot), map visualization (@antv/l7), and spreadsheet rendering (@antv/s2). Individual AntV packages receive between 50,000 and 2,000,000 weekly downloads.

Environments that install these packages include data engineering pipelines, financial dashboards, React/Vue/Angular front-end builds, and enterprise data platforms. Many of these run inside GitHub Actions, GitLab CI, or Kubernetes-hosted CI/CD pipelines that hold elevated cloud credentials — making this an extremely high-value target for a supply chain attacker.

Compromised Pakcages

Package Compromised Versions
timeago.js4.1.2, 4.2.2
timeago-react3.1.7, 3.2.7
echarts-for-react3.0.7, 3.1.7, 3.2.7
jest-canvas-mock2.5.3, 2.6.3, 2.7.3
jest-date-mock1.0.11, 1.1.11, 1.2.11
size-sensor1.0.4, 1.1.4, 1.2.4
canvas-nest.js2.1.4, 2.2.4
filesize.js2.1.0, 2.2.0
onfire.js2.1.1, 2.2.1
relationship.js1.3.9, 1.4.9
ribbon.js1.1.2
slice.js1.2.1, 1.3.1
word-width1.1.1, 1.2.1
lint-md0.3.0, 0.4.0
lint-md-cli0.2.2, 0.3.2
mcp-echarts0.8.1, 0.9.1
mcp-mermaid0.5.1, 0.6.1
@antv/adjust0.3.5, 0.4.5
@antv/algorithm0.2.26, 0.3.26
@antv/async-hook2.3.9, 2.4.9
@antv/attr0.4.5, 0.5.5
@antv/ava3.5.1, 3.6.1
@antv/ava-react3.4.2, 3.5.2
@antv/color-util2.1.6, 2.2.6
@antv/component2.2.11, 2.3.11
@antv/coord0.5.7, 0.6.7
@antv/data-set0.12.8, 0.13.8
@antv/dom-util2.1.4, 2.2.4
@antv/event-emitter0.2.3, 0.3.3
@antv/expr1.1.2, 1.2.2
@antv/f-engine1.11.0, 1.12.0
@antv/f-lottie1.11.0, 1.12.0
@antv/f-my1.11.0, 1.12.0
@antv/f-react1.11.0, 1.12.0
@antv/f-test-utils1.1.9, 1.2.9
@antv/f-vue1.11.0, 1.12.0
@antv/f-wx1.11.0, 1.12.0
@antv/f25.15.0, 5.16.0
@antv/f2-react5.15.0, 5.16.0
@antv/g6.4.1, 6.5.1
@antv/g-base0.6.16, 0.7.16
@antv/g-camera-api2.1.45, 2.2.45
@antv/g-canvas2.3.0, 2.4.0
@antv/g-device-api1.7.13, 1.8.13
@antv/g-dom-mutation-observer-api2.1.42, 2.2.42
@antv/g-gesture3.1.42, 3.2.42
@antv/g-lite2.8.0, 2.9.0
@antv/g-lottie-player1.2.1, 1.3.1
@antv/g-math3.2.0, 3.3.0
@antv/g-mobile-canvas1.2.1, 1.3.1
@antv/g-mobile-canvas-element1.1.42, 1.2.42
@antv/g-mobile-svg1.2.1, 1.3.1
@antv/g-mobile-webgl1.2.1, 1.3.1
@antv/g-plugin-3d2.2.1, 2.3.1
@antv/g-plugin-a11y1.5.1, 1.6.1
@antv/g-plugin-canvas-path-generator2.2.26, 2.3.26
@antv/g-plugin-canvas-picker2.4.1, 2.5.1
@antv/g-plugin-canvas-renderer2.6.1, 2.7.1
@antv/g-plugin-control2.2.1, 2.3.1
@antv/g-plugin-device-renderer2.7.1, 2.8.1
@antv/g-plugin-dom-interaction2.2.31, 2.3.31
@antv/g-plugin-dragndrop2.2.1, 2.3.1
@antv/g-plugin-html-renderer2.4.1, 2.5.1
@antv/g-plugin-image-loader2.4.1, 2.5.1
@antv/g-plugin-mobile-interaction1.1.42, 1.2.42
@antv/g-plugin-rough-canvas-renderer2.2.1, 2.3.1
@antv/g-plugin-rough-svg-renderer2.2.1, 2.3.1
@antv/g-plugin-svg-picker2.1.46, 2.2.46
@antv/g-plugin-svg-renderer2.5.1, 2.6.1
@antv/g-svg2.2.1, 2.3.1
@antv/g-web-animations-api2.2.32, 2.3.32
@antv/g-webgl2.2.1, 2.3.1
@antv/g-webgpu2.2.1, 2.3.1
@antv/g-webgpu-core0.8.2, 0.9.2
@antv/g-webgpu-engine0.8.2, 0.9.2
@antv/g25.5.8, 5.6.8
@antv/g2-extension-3d0.3.0, 0.4.0
@antv/g2-extension-ava0.3.0, 0.4.0
@antv/g2-extension-plot0.3.2, 0.4.2
@antv/g2-plugin-slider2.2.1, 2.3.1
@antv/g2plot2.5.35, 2.6.35
@antv/g65.2.1, 5.3.1
@antv/g6-core0.9.24, 0.10.24
@antv/g6-element0.9.25, 0.10.25
@antv/g6-extension-react0.3.7, 0.4.7
@antv/g6-pc0.9.25, 0.10.25
@antv/g6-plugin0.9.25, 0.10.25
@antv/g6-ssr0.2.1, 0.3.1
@antv/geo-coord1.1.8, 1.2.8
@antv/gi-assets-basic2.5.40, 2.6.40
@antv/gi-sdk3.1.0, 3.2.0
@antv/gi-theme-antd0.7.11, 0.8.11
@antv/gl-matrix2.8.1, 2.9.1
@antv/gpt-vis1.1.0, 1.2.0
@antv/gpt-vis-ssr0.4.7, 0.5.7
@antv/graphin3.1.5, 3.2.5
@antv/graphlib2.1.4, 2.2.4
@antv/hierarchy0.8.1, 0.9.1
@antv/infographic0.3.19, 0.4.19
@antv/l72.26.10, 2.27.10
@antv/l7-component2.26.10, 2.27.10
@antv/l7-core2.26.10, 2.27.10
@antv/l7-draw3.2.5, 3.3.5
@antv/l7-layers2.26.10, 2.27.10
@antv/l7-map2.26.10, 2.27.10
@antv/l7-maps2.26.10, 2.27.10
@antv/l7-react2.5.3, 2.6.3
@antv/l7-renderer2.26.10, 2.27.10
@antv/l7-scene2.26.10, 2.27.10
@antv/l7-source2.26.10, 2.27.10
@antv/l7-three2.26.10, 2.27.10
@antv/l7-utils2.26.10, 2.27.10
@antv/l7plot0.6.11, 0.7.11
@antv/l7plot-component0.1.11, 0.2.11
@antv/larkmap1.6.1, 1.7.1
@antv/layout-gpu1.2.7, 1.3.7
@antv/layout-wasm1.5.2, 1.6.2
@antv/li-core-assets1.4.7, 1.5.7
@antv/li-editor1.7.1, 1.8.1
@antv/li-sdk1.6.1, 1.7.1
@antv/matrix-util3.1.4, 3.2.4
@antv/mcp-server-antv0.2.8, 0.3.8
@antv/mcp-server-chart0.10.10, 0.11.10
@antv/path-util3.1.1, 3.2.1
@antv/react-g2.2.1, 2.3.1
@antv/s22.8.1, 2.9.1
@antv/s2-react2.4.1, 2.5.1
@antv/s2-ssr0.2.1, 0.3.1
@antv/s2-vue2.3.0, 2.4.0
@antv/scale0.6.2, 0.7.2
@antv/smart-color0.3.1, 0.4.1
@antv/thumbnails2.1.0, 2.2.0
@antv/util3.4.11, 3.5.11
@antv/vendor1.1.11, 1.2.11
@antv/x63.2.7, 3.3.7
@antv/x6-angular-shape3.1.1, 3.2.1
@antv/x6-react-shape3.1.1, 3.2.1
@antv/x6-vue-shape3.1.2, 3.2.2
@antv/x6-vue3-shape1.1.0, 1.2.0
@antv/xflow2.2.13, 2.3.13
@lint-md/cli2.1.0, 2.2.0
@lint-md/core2.1.0, 2.2.0
@lint-md/parser0.1.14, 0.2.14
Blog

Explore Related Posts

Compromised atool npm Account Delivers CI/CD Credential Stealer Across 24 Packages (echarts-for-react package, timeago.js)

The npm account atool (email i@hust.cc, associated with hustcc on GitHub — author of timeago.js and a maintainer of the AntV visualization ecosystem) was compromised. The attacker published two waves of malicious releases across 24 packages in a 10-minute window on 2026-05-19.

Sai Likhith

May 19, 2026

Read

actions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Commit That Exfiltrates CI/CD Credentials

The popular GitHub Action actions-cool/issues-helper has been compromised. Every existing tag in the repository has been moved to point to a single imposter commit that does not appear in the action's normal commit history. That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action.

Varun Sharma

May 18, 2026

Read

Nx Console VS Code Extension Compromised

Version 18.95.0 of the popular Nx Console extension (2.2M+ installs) was published with malicious code targeting developer credentials, cloud infrastructure tokens, and CI/CD secrets.

Ashish Kurmi

May 18, 2026

Read
StepSecurity | Home
Request a Demo
Start Free
System StatusTrust Center
DocsPricing
Contact UsProduct Tour
© 2026 All rights reserved
Privacy Policy
Terms of Service