I think that this GHSA is wrong: GHSA-qcp2-qp9h-qprg
@antv/adjust was shipping malware in versions 0.3.5 and 0.4.5, because of account takeover of the maintainer.
but up to 0.2.5 it should not be considered maleware.
GitLab has it more correct I think and has also a link tot he full story about all the other packages that were affected.
https://advisories.gitlab.com/npm/@antv/adjust/GMS-2026-71/
https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/
I think that this GHSA is wrong: GHSA-qcp2-qp9h-qprg
@antv/adjustwas shipping malware in versions 0.3.5 and 0.4.5, because of account takeover of the maintainer.but up to 0.2.5 it should not be considered maleware.
GitLab has it more correct I think and has also a link tot he full story about all the other packages that were affected.
https://advisories.gitlab.com/npm/@antv/adjust/GMS-2026-71/
https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/