#npm
27 stories taggednpm.

Poisoned Injective SDK on npm quietly stole crypto wallet keys for hours
A hijacked contributor account on GitHub pushed a booby-trapped version of a popular blockchain toolkit, siphoning seed phrases from any developer who ran the wrong function.

npm 12 Turns Off Auto-Run Install Scripts to Blunt Supply Chain Attacks
GitHub's package manager for JavaScript now ships with a safer default, and it retires a token type that let developers skip two-factor login.

Fake Paysafe and Skrill SDKs on npm and PyPI Went After Developers' Secrets
A single attacker uploaded 17 lookalike payment packages that quietly stole API keys, cloud credentials and GitHub tokens from anyone who installed them.

HalluSquatting: When AI Coding Helpers Invent Fake Software, Criminals Register It First
Researchers show how attackers can predict the fake package names AI assistants make up, then publish real malware under those names, waiting for developers to install the trap.

North Korean hackers flood open-source repositories with 108 booby-trapped packages
The Contagious Interview crew is back, seeding npm, Packagist, Go and Chrome with malware aimed at developers.

Fake Rollup Helper Packages on npm Traced to North Korean Hackers
Two look-alike JavaScript packages copied a popular developer tool line-for-line, then quietly opened a back door onto the machines of anyone who installed them.

Supply-Chain Attackers Hide Python Stealer in npm and Go Packages, Sidestep Lifecycle Scripts
JFrog flags two hijacked npm packages and a Go cluster that abuse VS Code tasks to drop a cross-platform infostealer — bypassing the script hooks defenders typically watch.

Mini Shai-Hulud Worm Jumps to Go, Hits LeoPlatform and RStreams npm Packages
The self-propagating supply chain campaign tied to Miasma and Hades has spread again — abusing GitHub Actions workflows and now reaching Go modules.

Three npm Packages Squat PostCSS Names to Drop a Windows RAT
Typosquatted utilities pulled roughly a thousand combined downloads before researchers flagged them. The payload targets Windows developer machines, which is exactly where the credentials live.

Mastra npm Namespace Hit: 145 Packages Tampered After Contributor Account Hijack
Researchers tracking the 'easy-day-js' supply chain incident say a single compromised maintainer account was sufficient to push malicious versions across the @mastra/* registry footprint.

Someone Wallpapered the @mastra npm Namespace With Malicious Builds
A hijacked maintainer account pushed 144 booby-trapped packages across the Mastra AI framework before anyone noticed. The attacker called it 'easy-day-js.' It was.

npm 12 Pulls the Plug on Install Scripts by Default
GitHub is finally turning off the lifecycle hook that's been quietly powering half a decade of supply chain attacks.

GitHub's npm Overhaul: No More Automatic Install Scripts
GitHub reshapes npm with default script blocking, aiming to tighten software supply chain security.

npm Hit by Dual Supply-Chain Campaigns: Rust Stealer With eBPF Rootkit, Self-Spreading Worm
Researchers flagged two parallel intrusions into the npm registry. One delivers a kernel-level credential scraper. The other propagates through more than 50 poisoned packages.

Miasma Campaign Infects Red Hat npm Packages
Latest supply chain attack reveals persistent threat of credential theft