SecurityWeek

GitHub Boosting Security in Response to NPM Supply Chain Attacks

In the light of recent supply chain attacks targeting the NPM ecosystem, GitHub will implement tighter authentication and ...

NPM package caught using QR Code to fetch cookie-stealing malware

Newly discovered npm package 'fezbox' employs QR codes to hide a second-stage payload to steal cookies from a user's web browser. The package, masquerading as a utility library, leverages this ...

This 2FA phishing scam pwned a developer - and endangered billions of npm downloads

A new digital supply chain attack has targeted popular open-source npm packages with at least two billion downloads per week. On Sept. 8, Josh Junon, a package maintainer whose account was at the ...
CSO Online

Trust in MCP takes first in-the-wild hit via squatted Postmark connector

In a newly disclosed supply-chain attack, an npm package “postmark-mcp” was weaponized to stealthily exfiltrate emails, ...

Ethereum, Solana Wallets Targeted in Massive 'npm' Attack But Just 5 Cents Taken

The credential stealer harvested username, password, and 2FA codes before sending them to a remote host. With full access, the attacker republished every "qix" package with a crypto-focused payload.

Over 300 npm packages compromised by self-replicating worm0 0

A new piece of malware is spreading through the popular tinycolor NPM library and more than 300 other packages, some of which ...
SiliconANGLE

Massive npm hack poisons 18 packages with billions of downloads

Aikido Security Ltd. today disclosed what is being described as the largest npm supply chain compromise to date, after attackers injected malware into 18 popular packages that together account for ...

A terrifying, self-replicating malwaere has infected npm packages with over 2 million downloads per week - here's how to stay safe

"After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source ...
TechRadar

Compromised files replace npm packages with a combined 2 billion weekly downloads

Over a dozen popular npm packages were compromised in a phishing-based supply chain attack The malware targeted crypto users by hijacking wallet addresses during transactions Some called it the most ...
Bleeping Computer

Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack

In a supply chain attack, attackers injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack. In the emails, the ...
CoinDesk

Ledger CTO Warns of NPM Supply-Chain Attack Hitting 1B+ Downloads

Charles Guillemet, chief technology officer at hardware wallet maker Ledger, warned on X on Monday that a large-scale supply chain attack is underway after the compromise of a reputable developer’s ...

Crypto Hackers are Now Using Ethereum Smart Contracts to Mask Malware Payloads

Simple-looking code tapped Ethereum’s blockchain to fetch hidden URLs that directed compromised systems to download second-stage malware.