Tag

#npm

27 stories taggednpm.

Full-frame edge-to-edge overhead photoreal shot of a developer's dark wooden desk at night, a laptop screen glowing with abstract green code, a small physical h
Threat Intelligence

Poisoned Injective SDK on npm quietly stole crypto wallet keys for hours

A hijacked contributor account on GitHub pushed a booby-trapped version of a popular blockchain toolkit, siphoning seed phrases from any developer who ran the wrong function.

3 min
Full-frame photoreal editorial image of a darkened developer workstation with a large monitor showing abstract cascading package dependency graphs in green and
Policy & Regulation

npm 12 Turns Off Auto-Run Install Scripts to Blunt Supply Chain Attacks

GitHub's package manager for JavaScript now ships with a safer default, and it retires a token type that let developers skip two-factor login.

3 min
Full-frame overhead photo of a developer's dark wooden desk lit by warm lamplight, showing an open laptop with generic blurred code on screen, a small stack of
Threat Intelligence

Fake Paysafe and Skrill SDKs on npm and PyPI Went After Developers' Secrets

A single attacker uploaded 17 lookalike payment packages that quietly stole API keys, cloud credentials and GitHub tokens from anyone who installed them.

4 min
Photoreal news-editorial image, 16:9, full frame edge to edge
AI Security

HalluSquatting: When AI Coding Helpers Invent Fake Software, Criminals Register It First

Researchers show how attackers can predict the fake package names AI assistants make up, then publish real malware under those names, waiting for developers to install the trap.

4 min
Full-frame overhead view of a cluttered developer's desk at night, glowing keyboard, open laptop showing abstract package manager output as coloured bars, small
Threat Intelligence

North Korean hackers flood open-source repositories with 108 booby-trapped packages

The Contagious Interview crew is back, seeding npm, Packagist, Go and Chrome with malware aimed at developers.

3 min
Photoreal editorial image, full-frame 16:9, of two nearly identical open cardboard shipping boxes on a dark desk, one subtly marked with a red warning tape, sof
Threat Intelligence

Fake Rollup Helper Packages on npm Traced to North Korean Hackers

Two look-alike JavaScript packages copied a popular developer tool line-for-line, then quietly opened a back door onto the machines of anyone who installed them.

3 min
Threat Intelligence

Supply-Chain Attackers Hide Python Stealer in npm and Go Packages, Sidestep Lifecycle Scripts

JFrog flags two hijacked npm packages and a Go cluster that abuse VS Code tasks to drop a cross-platform infostealer — bypassing the script hooks defenders typically watch.

3 min
Threat Intelligence

Mini Shai-Hulud Worm Jumps to Go, Hits LeoPlatform and RStreams npm Packages

The self-propagating supply chain campaign tied to Miasma and Hades has spread again — abusing GitHub Actions workflows and now reaching Go modules.

2 min
Threat Intelligence

Three npm Packages Squat PostCSS Names to Drop a Windows RAT

Typosquatted utilities pulled roughly a thousand combined downloads before researchers flagged them. The payload targets Windows developer machines, which is exactly where the credentials live.

2 min
Policy & Regulation

Mastra npm Namespace Hit: 145 Packages Tampered After Contributor Account Hijack

Researchers tracking the 'easy-day-js' supply chain incident say a single compromised maintainer account was sufficient to push malicious versions across the @mastra/* registry footprint.

2 min
AI Security

Someone Wallpapered the @mastra npm Namespace With Malicious Builds

A hijacked maintainer account pushed 144 booby-trapped packages across the Mastra AI framework before anyone noticed. The attacker called it 'easy-day-js.' It was.

2 min
Vulnerabilities

npm 12 Pulls the Plug on Install Scripts by Default

GitHub is finally turning off the lifecycle hook that's been quietly powering half a decade of supply chain attacks.

3 min
Policy & Regulation

GitHub's npm Overhaul: No More Automatic Install Scripts

GitHub reshapes npm with default script blocking, aiming to tighten software supply chain security.

2 min
Threat Intelligence

npm Hit by Dual Supply-Chain Campaigns: Rust Stealer With eBPF Rootkit, Self-Spreading Worm

Researchers flagged two parallel intrusions into the npm registry. One delivers a kernel-level credential scraper. The other propagates through more than 50 poisoned packages.

3 min
Vulnerabilities

Miasma Campaign Infects Red Hat npm Packages

Latest supply chain attack reveals persistent threat of credential theft

2 min
© 2026 Threat Vectr