TL;DR On June 17, 2026, security researchers identified a software supply chain attack involving the npm package easy-day-js, a malicious package designed to impersonate the popular JavaScript date library dayjs. Sonatype is ...

TL;DR Sonatype Security Research is tracking a new Shai-Hulud Miasma wave with 281 malicious npm package versions that move beyond obvious preinstall and postinstall scripts in package.json. This variant abuses binding.gyp to ...

TL;DR Sonatype Security Research is tracking a Lazarus Group npm campaign using dozens of malicious packages to abuse developer trust and deliver follow-on payloads. The campaign goes beyond typosquatting, relying on brandjacking ...

A new wave of malicious npm activity has been reported involving multiple packages in the legitimate @redhat-cloud-services namespace ...

Just a brief exposure of source code on GitHub by Shai-Hulud is enough to give TeamPCP plausible deniability and spark copycat campaigns ...

Why bother hunting for a CVE when you can just publish malicious code straight into the software supply chain? That’s the story behind the latest wave of Shai-Hulud-related npm compromises, which recently ...

Open source malware is no longer just a numbers game. What was once largely a volume problem — thousands of malicious packages flooding public registries through typosquatting, brandjacking, and low-effort deception — ...

TL;DR An open source malware campaign dubbed CanisterSprawl has been observed in npm, stealing sensitive data from developer machines including tokens, API keys, and more. From there, the malware publishes additional compromised ...

The number of data breach victims may have dropped last year, but that’s only because bad actors are getting better at what they do, prioritizing quality over quantity.  ...

The Notepad++ supply chain compromise is the latest proof that sophisticated adversaries are deliberately targeting the gap between two disciplines: Vulnerability management and detection and response.  ...