The North Korean threat actor behind the Axios supply chain attack has been targeting high-profile Node.js maintainers.

Attackers stole a long-lived npm access token belonging to the lead maintainer of axios, the most popular HTTP client library in JavaScript, and used it to publish two poisoned versions that install a ...

The poisoned versions, "axios@1.14.1" and "axios@0.30.4," made it onto the npm registry before being yanked, though not before some unlucky devs and CI pipelines pulled them in. Rather than tampering ...

Up to four npm packages on Axios were replaced with malicious versions, in one of the most sophisticated supply chain attacks.

A new browser for the npm registry has launched in alpha, following grassroots demand for an alternative to the official npmjs.com interface. The open source project was started by Daniel Roe, who ...

The Dune-inspired Shai Hulud has returned in a weaponized upgrade, unleashing an automated supply chain worm that's infected over 25,000 npm repositories, tied to hundreds of maintainers. See Also: ...

Malicious code injected into @ensdomains packages between Nov 21-23 targeted developer credentials across GitHub, npm and cloud services. The attack spread through compromised maintainer accounts, ...

Security researchers have uncovered another large-scale, coordinated attack on the npm ecosystem, using worm-like techniques to spread spam packages. Dubbed “IndonesianFoods” due to the unique naming ...

Cybersecurity researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate "@actions/artifact" package with the intent to target GitHub-owned ...

The typosquatted packages auto-execute on installation, fingerprint victims by IP, and deploy a PyInstaller binary to harvest credentials from browsers, SSH keys, API tokens, and cloud configuration ...

Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection. The finding, ...

As poisoned software continues to pop up across the industry, some threat actors have found a way to hide malicious code in npm packages and avoid detection from most security tools. In an blog post ...