Malicious npm package downloaded 676 times stole Claude AI files via GitHub uploads, increasing AI-driven malware risks.

TrapDoor spread 34 malicious packages across npm, PyPI, and Crates.io, stealing developer credentials and enabling persistence.

TanStack has released a detailed postmortem describing a sophisticated supply-chain attack that compromised 42 npm packages ...

Stolen credentials produced valid Sigstore certificates, clearing 633 malicious npm packages — one of seven developer tool ...

On May 19, the Mini Shai-Hulud worm compromised one npm maintainer account and pushed 639 malicious versions across 323 ...

An attacker poisoned 84 TanStack npm versions across 42 packages, stealing GitHub OIDC tokens and cloud keys while planting a dead-man's switch that nukes your system.

Popular JavaScript modules including size-sensor and echarts-for-react hit as hijacked account closed GitHub warnings ...

Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors. More than ...

Several malicious npm packages on the open-source repository have been used in supply chain attacks and phishing campaigns. The claims come from ReversingLabs researchers, who said in a blog post ...

GitHub's npm package registry has rolled out a publishing approval step to prevent the distribution of compromised packages ...

Researchers continue to investigate a wave of malicious npm packages, with the published tally now reaching over 700. Last week, JFrog researchers disclosed the scheme in which an unknown threat actor ...

The Node Package Manager, NPM, has become a powerful and important tool, supporting many different JavaScript frameworks — including JQuery, AngularJS, and React JS. If you’re building JavaScript ...