TL;DR Sonatype Security Research is tracking a new Shai-Hulud Miasma wave with 281 malicious npm package versions that move beyond obvious preinstall and postinstall scripts in package.json. This variant abuses binding.gyp to ...

TL;DR Sonatype Security Research is tracking a Lazarus Group npm campaign using dozens of malicious packages to abuse developer trust and deliver follow-on payloads. The campaign goes beyond typosquatting, relying on brandjacking ...

A new wave of malicious npm activity has been reported involving multiple packages in the legitimate @redhat-cloud-services namespace ...

Attackers do not need to wait for a CVE when they can publish directly into the build ...

TL;DR An open source malware campaign dubbed CanisterSprawl has been observed in npm, stealing sensitive data from developer machines including tokens, API keys, and more. From there, the malware publishes additional compromised ...

Overview On March 31, NSFOCUS CERT detected that the npm repository of the HTTP client library Axios was poisoned by the supply chain. The attacker bypassed the normal GitHub Actions CI/CD pipeline ...

A newly discovered software supply chain attack targeting the npm ecosystem briefly compromised one of the most widely used JavaScript libraries in the world ...

The bad actor can now deploy a RAT, is targeting MCP servers, and is finding new ways to move through Open VSX ...

Sonatype Security Research has identified a potential compromise of a trusted npm maintainer account that has now published two malicious npm packages — sbx-mask and touch-adv — designed to exfiltrate secrets from ...

Sonatype Security Research has identified two hijacked npm packages in the React Native ecosystem that receive more than 30,000 downloads collectively per week and were modified to deliver multi-stage malware. Sonatype is ...