The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised

Tuesday, May 19, 2026 at 11:00 PM UTC·Source: Snyk

Updated: Wednesday, May 20, 2026 at 08:01 AM UTC

Executive Summary

A day after the AntV npm supply chain attack, the same campaign appears to have struck `durabletask`, a Microsoft-associated Python package on PyPI. Snyk has coverage in the vulnerability database and package health pages. Here's what we know.

Analysis

Source Attribution

Originally published by Snyk on May 19, 2026.

Related Threats

MEDIUMSupply Chain

Managing Open Source Software Risks With the HeroDevs EOL Dashboard

<div class="hs-featured-image-wrapper"> <a href="https://www.sonatype.com/blog/managing-open-source-software-risks-with-the-herodevs-eol-dashboard" title="" class="hs-featured-image-link"> <img src="https://www.sonatype.com/hubfs/blog_herodevs_eol.jpg" alt="Image of two icons side by side. One of them is a logo for the software product Sonatype Lifecycle. The other is a logo for HeroDevs." class="

1h agoSonatype (Maven/npm)

MEDIUMSupply Chain

Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack

A compromised maintainer account was used to publish malicious package versions across the @antv namespace. The post Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack appeared first on SecurityWeek .

3h agoSecurityWeek

MEDIUMSupply Chain

Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem

AI-generated lookalike domains are now embedded inside the third-party scripts running on your web properties. Here's why your current stack can't see them, and what detection actually requires. Download the CISO Expert Guide to Typosquatting in the AI Era → TL;DR Typosquatting is no longer a user problem. Attackers now embed lookalike domains inside legitimate third-party scripts.

3h agoThe Hacker News