InfoWorld

Compromised npm package silently installs OpenClaw on developer machines

A new security bypass has users installing AI agent OpenClaw — whether they intended to or not. Researchers have discovered that a compromised npm publish token pushed an update for the widely-used ...
InfoWorld

Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud

A researcher at Koi Security says the two key platforms have not plugged the vulnerabilities enabling the worm attacks, and ‘the JavaScript ecosystem deserves better.’ Javascript developers should ...
cryptopolitan

Cybersecurity researchers uncover fake Bitcoin npm packages that steal crypto wallets and seeds

Cybersecurity researchers have uncovered three malicious Bitcoin npm packages designed to install malware called NodeCordRAT. NodeCordRAT is equipped to steal Google Chrome credentials, API tokens ...
Dark Reading

DPRK's 'Contagious Interview' Spawns Malicious Npm Package Factory

North Korea's 'Contagious Interview' campaign to target job seekers has expanded yet again, this time with a persistent npm package-poisoning game that runs like a well-oiled machine. Threat actors ...
SecurityWeek

640 NPM Packages Infected in New ‘Shai-Hulud’ Supply Chain Attack

The new self-replicating worm iteration has destructive capabilities, erasing home directory contents if it cannot spread to more repositories. Approximately 640 NPM packages have been infected with a ...
bankinfosecurity

Automated Shai Hulud Infects Thousands of NPM Repositories

The Dune-inspired Shai Hulud has returned in a weaponized upgrade, unleashing an automated supply chain worm that's infected over 25,000 npm repositories, tied to hundreds of maintainers. See Also: ...
securities

NPM Supply-Chain Attack: What Happened and How to Fix It

Securities.io maintains rigorous editorial standards and may receive compensation from reviewed links. We are not a registered investment adviser and this is not investment advice. Please view our ...
TechRepublic

Malware Injected Into Code Packages That Get 2 Billion+ Downloads Each Week

Malware Injected Into Code Packages That Get 2 Billion+ Downloads Each Week Your email has been sent An attack targeting the Node.js ecosystem was just identified ...
ZDNet

This 2FA phishing scam pwned a developer - and endangered billions of npm downloads

A phishing email was at the heart of the attack. NPM team quickly removed backdoored versions. 18 packages hit, with 2B+ downloads every week. A new digital supply chain attack has targeted popular ...
SiliconANGLE

Massive npm hack poisons 18 packages with billions of downloads

Aikido Security Ltd. today disclosed what is being described as the largest npm supply chain compromise to date, after attackers injected malware into 18 popular packages that together account for ...
CSOonline

Supply chain attack compromises npm packages to spread backdoor malware

In a newly discovered supply chain attack, attackers last week targeted a range of npm-hosted JavaScript type testing utilities, several of which were successfully compromised to distribute malware.