heise online

New supply chain attack with malicious scripts in npm packages

The security firm Socket warns of a campaign with malicious scripts in npm packages. The analysts have discovered 60 of these packages that contain an infostealer, which in turn spies on a machine ...
CSO Online

SAP npm package attack highlights risks in developer tools and CI/CD pipelines

Researchers say the campaign targeted developer credentials and cloud secrets while abusing trusted publishing and AI coding ...
GIGAZINE

The popular @ctrl/tinycolor package, downloaded over 2 million times per week, has been compromised along with over 40 other NPM packages in a sophisticated supply chain attack ...

The malware used in Shai-Hulud is capable of self-propagation, automatically infecting other packages managed by the maintainer of the infected package. It also harvests credentials from developer ...
CSOonline

Malicious npm packages found to create a backdoor in legitimate code

Researchers found malicious packages on the npm registry that, when installed, inject malicious code into legitimate npm packages already residing on developers’ machines. Attackers who target ...