Ars Technica

Malicious packages sneaked into NPM repository stole Discord tokens

"People downloading open source packages should take extra care in making sure the item they’re downloading is legitimate and not malware masquerading as something legitimate." Click to expand ...
Bleeping Computer

Popular 'coa' NPM library hijacked to steal user passwords

Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world. The 'coa' library, short for Command-Option-Argument, ...
Hosted on MSN

Malicious npm packages use devious backdoors to target users

Security researchers from Reversing Labs find two malicious packages on npm These serve as downloaders and target software developers building on the Ethereum blockchain The malware opens a reverse ...
Business Recorder

All compromised npm packages: NCERT urges organizations to upgrade to latest fixed versions

ISLAMABAD: A critical supply chain compromise has been disclosed in the npm JavaScript ecosystem, exposing enterprises worldwide to risks of cryptocurrency theft, credential leakage and unauthorized ...
Ars Technica

Destructive malware available in NPM repo went unnoticed for 2 years

Researchers have found malicious software that received more than 6,000 downloads from the NPM repository over a two-year span, in yet another discovery showing the hidden threats users of such open ...
CSOonline

Massive npm supply chain attack hits 18 popular packages with 2B weekly downloads

Malware hidden in widely used libraries like chalk and debug hijacked crypto transactions via browser APIs, exposing deep flaws in the open-source trust model. A massive supply chain attack ...

Thousands of fake packages flood npm registry in major attack - here's what we know

Cybersecurity researchers Endor Labs discovered more than 43,000 spam packages which took almost two years to upload in a ...