npm
Shai Hulud attack ships signed malicious TanStack, Mistral npm packages
Hundreds of packages across npm and PyPI have been compromised in a new Shai-Hulud supply-chain campaign delivering credential-stealing malware targeting developers. The attacker hijacked valid OpenID Connect (OIDC) tokens to publish malicious package versions with verifiable provenance attestation (SLSA Build Level 3) Attributed to the TeamPCP threat group, the attack started with compromising dozens of TanStack […]
Official SAP npm packages compromised to steal credentials
Multiple official SAP npm packages were compromised in what is believed to be a TeamPCP supply-chain attack to steal credentials and authentication tokens from developers’ systems. Security researchers report that the compromise impacted four packages, with the versions now deprecated on NPM: These packages support SAP’s Cloud Application Programming Model (CAP) and Cloud MTA, which […]
Bitwarden CLI npm package compromised to steal developer credentials
The Bitwarden CLI was briefly compromised after attackers uploaded a malicious @bitwarden/cli package to npm containing a credential-stealing payload capable of spreading to other projects. According to reports by Socket, JFrog, and OX Security, the malicious package was distributed as version 2026.4.0 and remained available between 5:57 PM and 7:30 PM ET on April 22, 2026, before being removed. […]
New npm supply-chain attack self-spreads to steal auth tokens
A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts. The threat was spotted by researchers at application security companies Socket and StepSecurity in multiple packages from Namastex Labs, a company that provides AI-based agentic solutions designed to improve […]
Critical flaw in Protobuf library enables JavaScript code execution
Proof-of-concept exploit code has been published for a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google’s Protocol Buffers. The tool is highly popular in the Node Package Manager (npm) registry, with an average of nearly 50 million weekly downloads. It is used for inter-service communication, in real-time applications, and for […]
Axios npm hack used fake Teams error fix to hijack maintainer account
The maintainers of the popular Axios HTTP client have published a detailed post-mortem describing how one of its developers was targeted by a social engineering campaign linked to North Korean hackers. This follows the threat actors compromising a maintainer account to publish two malicious versions of Axios (1.14.1 and 0.30.4) to the npm package registry, triggering a […]
Hackers compromise Axios npm package to drop cross-platform malware
Hackers hijacked the npm account of the Axios package, a JavaScript HTTP client with 100M+ weekly downloads, to deliver remote access trojans to Linux, Windows, and macOS systems. According to reports from software supply chain security and application security companies Endor Labs, Socket, Aikido, and StepSecurity, the threat actor published on the Node Package Manager (npm) registry two malicious versions of […]
GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX
The GlassWorm supply-chain campaign has returned with a new, coordinated attack that targeted hundreds of packages, repositories, and extensions on GitHub, npm, and VSCode/OpenVSX extensions. Researchers at Aikido, Socket, Step Security, and the OpenSourceMalware community have collectively identified 433 compromised components this month in attacks attributed to GlassWorm. Evidence of a single threat actor running the GlassWorm campaigns across multiple open-source […]
New PhantomRaven NPM attack wave steals dev data via 88 packages
New attack waves from the ‘PhantomRaven’ supply-chain campaign are hitting the npm registry, with dozens of malicious packages that exfiltrate sensitive data from JavaScript developers. The campaign was initially uncovered in October 2025 by researchers at cybersecurity company Koi, who said that it had been running since August and published 126 malicious packages on the npm platform. Application […]
New sandbox escape flaw exposes n8n instances to RCE attacks
Two vulnerabilities in the n8n workflow automation platform could allow attackers to fully compromise affected instances, access sensitive data, and execute arbitrary code on the underlying host. Identified as CVE-2026-1470 and CVE-2026-0863, the vulnerabilities were discovered and reported by researchers at DevSecOps company JFrog. Despite requiring authentication, CVE-2026-1470 received a critical severity score of 9.9 out of 10. JFrog […]