In a supply chain attack, attackers injected malware into NPM packages with over 2.6 billion weekly downloads after ...

Qix is an open source maintainer account that was compromised by a phishing attack. This allowed attackers to infect 18 popular npm packages with malicious code. Together, these packages are ...

Inspect your GitHub account for a repository named “Shai-Hulud.” The malware automatically creates this repo to store exfiltrated secrets. If it exists, remove it immediately, and carefully review its ...

60 packages have been discovered in the NPM index that attempt to collect sensitive host and network data and send it to a Discord webhook controlled by the threat actor. According to Socket’s Threat ...

"Each published package becomes a new distribution vector: as soon as someone installs it, the worm executes, replicates, and ...

Dozens of npm libraries, including a color library with over 2 million downloads a week, have been replaced with novel self-replicating credential-stealing code in yet another wave of a supply chain ...

A series of malicious packages hidden within the Node Package Manager (npm), the largest software registry for JavaScript, has been uncovered. According to a new advisory published by FortiGuard on ...

Security researchers have uncovered two new malicious packages on the npm open source package manager that utilized GitHub to store stolen Base64-encrypted SSH keys taken from developer systems. These ...

A new digital supply chain attack has targeted popular open-source npm packages with at least two billion downloads per week. On Sept. 8, Josh Junon, a package maintainer whose account was at the ...

Node Package Manager (NPM) is installed on your Windows computer once you install Node.js. It is a package manager for modules of Node.js, and it’s ready to run on your Windows PC. In this article, we ...

According to ReversingLabs' 2025 Software Supply Chain Security Report, 14 of the 23 crypto-related malicious campaigns in ...