In a newly disclosed supply-chain attack, an npm package “postmark-mcp” was weaponized to stealthily exfiltrate emails, ...

In the light of recent supply chain attacks targeting the NPM ecosystem, GitHub will implement tighter authentication and ...

Newly discovered npm package 'fezbox' employs QR codes to hide a second-stage payload to steal cookies from a user's web browser. The package, masquerading as a utility library, leverages this ...

The Shai-Hulud NPM worm highlights rising open-source supply chain threats. Secure builds with SBOMs, MFA, signed packages, and zero-trust defenses.

A new piece of malware is spreading through the popular tinycolor NPM library and more than 300 other packages, some of which ...

Security researchers worldwide are warning about a supply-chain attack on the Node Package Manager (NPM), where a ...

It is possible that the attackers behind this attack are the same ones as last time. Their malicious code bears the name of a prominent science fiction monster.

A new cross-platform malware named “ModStealer” actively targets crypto wallets while remaining undetected by major antivirus software. The malware is reportedly built to steal sensitive data from ...

The code includes pre-loaded instructions to target 56 browser wallet extensions and is designed to extract private keys, credentials, and certificates.

Qix is an open source maintainer account that was compromised by a phishing attack. This allowed attackers to infect 18 popular npm packages with malicious code. Together, these packages are ...

The credential stealer harvested username, password, and 2FA codes before sending them to a remote host. With full access, the attacker republished every "qix" package with a crypto-focused payload.

A successful phishing attack against a developer has resulted in one of the largest supply chain compromises to date, adding malicious code to JavaScript packages with around 2.7 billion weekly ...