THE atool npm account, linked to hustcc on GitHub and the author of timeago[.]js, was compromised, with the account’s email listed as i@hust[.]cc. The attacker published two waves of malicious releases across 24 packages in a 10-minute window on 19 May 2026, targeting widely used components such as echarts-for-react and timeago[.]js.
Timeago[.]js is a JavaScript library for relative time formatting and, according to the piece, has over 1.5 million weekly downloads, while the atool account is part of the AntV open‑source data visualization ecosystem that powers several packages including @antv/g2plot, @antv/g, and others.
Environments that install these packages include data engineering pipelines, financial dashboards, and front-end builds in React, Vue and Angular, with many deployments running inside GitHub Actions, GitLab CI or Kubernetes-hosted CI/CD pipelines, which elevates the value of any supply chain attack. The post emphasises the high‑value target this represents for attackers seeking to exfiltrate CI/CD credentials.