GMS-2026-567: xmorse contains malware after npm account takeover

May 19, 2026

On May 19th 2026, a new supply chain attack linked to the Mini Shai-Hulud campaign was identified. This package contains malicious code published through a compromised npm maintainer account. The malicious software is part of a coordinated high-volume publish wave targeting popular data visualization and charting ecosystems. It is recommended that all credentials be rotated, npm cache is cleared, the node_modules directory is removed, and all dependencies be rolled back to previous known-good versions.

References

safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/
socket.dev/blog/antv-packages-compromised

Code Behaviors & Features

Detect and mitigate GMS-2026-567 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →