One npm Account, One Big Blast Radius: The Mini Shai-Hulud Push Into React Charts

A reported maintainer-account compromise in npm’s @antv orbit shows how a trusted package can become a delivery channel for malicious code.