A malicious npm package tied to a campaign some observers have called “Malware-Slop” has been detected copying files from ...

Multiple npm supply chain attacks used 50+ poisoned packages to spread IronWorm, a Rust-based stealer, and a Miasma worm ...

Miasma compromised 32 Red Hat packages June 1 via a hijacked CI/CD pipeline producing valid SLSA attestations, then hit 57 more June 3 using Phantom Gyp to evade install monitors. Red Hat confirmed no ...

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps the six gaps it ...

TrapDoor spread 34 malicious packages across npm, PyPI, and Crates.io, stealing developer credentials and enabling persistence.

Red Hat hit by npm supply‑chain attack - here's how to stay safe ...

A series of malicious packages hidden within the Node Package Manager (npm), the largest software registry for JavaScript, has been uncovered. According to a new advisory published by FortiGuard on ...

The security firm Socket warns of a campaign with malicious scripts in npm packages. The analysts have discovered 60 of these packages that contain an infostealer, which in turn spies on a machine ...

Node.js developers, run NPM install at your own risk -- a self-replicating worm can easily spread through the ecosystem Never assume a file downloaded from the Internet is safe. That warning also ...