@uipath/ui-widgets-multi-file-upload contains malware after npm account takeover
On May 19th 2026, a new supply chain attack linked to the Mini Shai-Hulud campaign was identified. This package contains malicious code published through a compromised npm maintainer account. The malicious software is part of a coordinated high-volume publish wave targeting popular data visualization and charting ecosystems. It is recommended that all credentials be rotated, npm cache is cleared, the node_modules directory is removed, and all dependencies be rolled back …