Supply Chain Attack
New PhantomRaven NPM attack wave steals dev data via 88 packages
New attack waves from the ‘PhantomRaven’ supply-chain campaign are hitting the npm registry, with dozens of malicious packages that exfiltrate sensitive data from JavaScript developers. The campaign was initially uncovered in October 2025 by researchers at cybersecurity company Koi, who said that it had been running since August and published 126 malicious packages on the npm platform. Application […]
The biggest cyber security and cyberattack stories of 2025
2025 was a big year for cyber security, with major cyberattacks, data breaches, threat groups reaching new notoriety levels, and, of course, zero-day vulnerabilities exploited in incidents. Some stories, though, were more impactful or popular with our readers than others. Below are fifteen of what GeekFeed believes are the most impactful cyber security topics of […]
Malicious npm package steals WhatsApp accounts and messages
A malicious package in the Node Package Manager (NPM) registry poses as a legitimate WhatsApp Web API library to steal WhatsApp messages, collect contacts, and gain access to the account. A fork of the popular WhiskeySockets Baileys project, the malicious package provides the legitimate functionality. It has been available on npm published under the name lotusbail for at least […]
Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets
The second Shai-Hulud attack last week exposed around 400,000 raw secrets after infecting hundreds of packages in the NPM (Node Package Manager) registry and publishing stolen data in 30,000 GitHub repositories. Although just about 10,000 of the exposed secrets were verified as valid by the open-source TruffleHog scanning tool, researchers at cloud security platform Wiz say that […]
Shai-Hulud malware infects 500 npm packages, leaks secrets on GitHub
Hundreds of trojanized versions of well-known packages such as Zapier, ENS Domains, PostHog, and Postman have been planted in the npm registry in a new Shai-Hulud supply-chain campaign. The malicious packages have been added to NPM (Node Package Manager) over the weekend to steal developer and continuous integration and continuous delivery (CI/CD) secrets. The data is […]
Google exposes BadAudio malware used in APT24 espionage campaigns
China-linked APT24 hackers have been using a previously undocumented malware called BadAudio in a three-year espionage campaign that recently switched to more sophisticated attack methods. Since 2022, the malware has been delivered to victims through multiple methods that include spearphishing, supply-chain compromise, and watering hole attacks. Campaign evolution From November 2022 until at least September 2025, APT24 […]
New ‘IndonesianFoods’ spammer floods npm with 150,000 packages
An auto-spamming payload published on npm spams the registry by spawning new packages every seven seconds, creating large volumes of junk. The replicating payload, dubbed ‘IndonesianFoods,’ due to its distinctive package naming scheme that picks random Indonesian names and food terms, has published over 100,000 packages according to Sonatype, and the number is growing exponentially. […]
GlassWorm malware returns on OpenVSX with 3 new VSCode extensions
The GlassWorm malware campaign, which impacted the OpenVSX and Visual Studio Code marketplaces last month, has returned with three new VSCode extensions that have already been downloaded over 10,000 times. GlassWorm is a campaign and malware that leverages Solana transactions to fetch a payload targeting GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency […]
Open VSX rotates access tokens used in supply-chain malware attack
The Open VSX registry rotated access tokens after they were accidentally leaked by developers in public repositories and allowed threat actors to publish malicious extensions in a supply chain attack. The leak was discovered by Wiz researchers two weeks ago, when they reported an exposure of over 550 secrets across Microsoft VSCode and Open VSX marketplaces. Some […]
PhantomRaven attack floods npm with credential-stealing packages
An active campaign named ‘PhantomRaven’ is targeting developers with dozens of malicious npm packages that steal authentication tokens, CI/CD secrets, and GitHub credentials. The activity started in August and deployed 126 npm packages that counted more than 86,000 downloads. The Node Package Manager (NPM) is the default package manager for Node.js, used by JavaScript developers […]