Skip to content
The Nexus
DossierENTITY

npm

Coverage of npm in the Nexus archive.

Earliest in view: May 11 · 21:08 UTCMost recent: Jul 4 · 11:17 UTC
Co-mentioned in this coverage
Recent coverage
  • SECURITYJul 4 · 11:17 UTCTHE HACKER NEWS
    North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign

    North Korean threat actors have published 108 malicious packages and web browser extensions across npm, Packagist, Go, and Google Chrome as part of the PolinRider campaign. The campaign remains active, with new malicious packages likely to continue appearing.

  • SECURITYJun 29 · 05:36 UTCTHE HACKER NEWS
    Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer

    Cybersecurity researchers discovered hijacked npm and Go packages that deploy a Python-based information stealer using VS Code tasks on Windows, Linux, and macOS systems. The attack bypasses common npm execution paths to avoid detection by security measures like those in npm v12.

  • SECURITYJun 26 · 12:18 UTCTHE REGISTER
    Miasma campaign poisons 20-plus npm packages, hunts for developer secrets

    The Miasma malware campaign has poisoned over 20 npm packages in the Leo Platform and RStreams ecosystems, targeting developer credentials and CI environments. The attack, executed in under three seconds by compromising an npm maintainer account, steals secrets from cloud providers, GitHub, and other platforms, and republishes packages to propagate further.

  • SECURITYJun 11 · 06:23 UTCTHE HACKER NEWS
    GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

    GitHub is introducing breaking changes in npm version 12 to disable install scripts by default, aiming to prevent supply chain attacks. The update targets malicious code execution via npm lifecycle hooks during the 'npm install' command.

  • SECURITYJun 10 · 19:41 UTCBLEEPING COMPUTER
    GitHub announces npm security changes to tackle supply-chain attacks

    GitHub has announced npm v12 will introduce security-focused changes to block supply-chain attacks exploiting the 'npm install' command. The updates aim to prevent malicious behaviors triggered by this command.

  • SECURITYJun 5 · 18:05 UTCTHE HACKER NEWS
    IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks

    Multiple supply chain attacks targeted the npm ecosystem using malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm. JFrog identified the information stealer as hiding behind an eBPF kernel rootkit to scrape secrets from developers' machines.

  • SECURITYJun 4 · 21:47 UTCDARK READING
    Rust-Written IronWorm Hits NPM Supply Chain

    A Rust-written malware called IronWorm is targeting the NPM supply chain to steal developer credentials and reuse them for propagation. The campaign focuses on compromising software supply channels through credential theft.

  • SECURITYJun 4 · 15:25 UTCBLEEPING COMPUTER
    New IronWorm malware hits 36 packages in npm supply-chain attack

    A new supply-chain attack has infected 36 packages on the Node Package Manager (npm) index with infostealer malware called IronWorm.

  • SECURITYJun 1 · 21:54 UTCTHE REGISTER
    Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week

    Security researchers discovered malware in 32 Red Hat npm package releases, which were downloaded 80,000 times weekly. The Mini Shai-Hulud worm, linked to TeamPCP, was embedded via a compromised GitHub account, stealing credentials and enabling supply chain propagation. Red Hat removed the packages, stating they were internal and not used in customer systems.

  • SECURITYJun 1 · 21:38 UTCBLEEPING COMPUTER
    Red Hat npm packages compromised to steal developer credentials

    More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed 'Miasma'.

  • SECURITYJun 1 · 17:40 UTCTHE HACKER NEWS
    Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

    A supply chain attack named Miasma has compromised Red Hat npm packages, using a credential-stealing worm with tactics similar to the Mini Shai-Hulud campaign. The attack includes install-time execution, credential harvesting, and encrypted data exfiltration.

  • SECURITYJun 1 · 16:58 UTCHACKER NEWS
    Show HN: DepsGuard – one command to harden NPM/pnpm/yarn/bun/uv configs

    DepsGuard is a Rust-based tool that automates configuring security settings (like cooldowns and script restrictions) across NPM, pnpm, yarn, bun, and uv package managers. It addresses the complexity of manually editing multiple config files by providing a single command to apply recommended hardening measures, including min-release-age and ignore-scripts policies.

  • SECURITYJun 1 · 09:31 UTCTHE HACKER NEWS
    OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack

    Cybersecurity researchers revealed a malicious supply chain attack targeting OpenAI Codex users via the codexui-android npm package, which is promoted as a remote web UI and has over 29,000 weekly downloads. The package remains available for download despite the security risks it poses.

  • SECURITYMay 29 · 21:46 UTCTHE REGISTER
    Lone attacker published 14 malicious npm packages mimicking popular OpenSearch, Elasticsearch libraries

    A lone attacker published 14 malicious npm packages mimicking popular OpenSearch, Elasticsearch, and DevOps libraries, using typosquatting and metadata spoofing to steal cloud credentials and CI/CD secrets. Microsoft reported the attack, which involved a credential-harvesting payload and techniques like inflated version numbers to appear legitimate, with all packages later removed.

  • SECURITYMay 27 · 20:33 UTCTHE REGISTER
    Malware dev tries to steal Claude users' secrets, writes npm slop, leaks own GitHub private token

    A malware package named 'mouse5212-super-formatter' targeting Claude users was removed from npm after 676 downloads. It leaked the attacker's GitHub private token, enabling researchers to trace stolen files. The malware, analyzed by OX Security, exfiltrates sensitive data via GitHub and uses deceptive techniques to avoid detection.

  • SECURITYMay 25 · 09:52 UTCTHE BLOCK
    Researchers flag TrapDoor malware campaign targeting crypto developer environments including Aptos, Sui and Solana

    Researchers identified the TrapDoor malware campaign using malicious packages on npm, PyPI, and Crates.io to target crypto developer environments, including Aptos, Sui, and Solana. The campaign exploited package repositories to compromise developers working in blockchain ecosystems.

  • SECURITYMay 25 · 05:59 UTCTHE HACKER NEWS
    TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO

    A coordinated cross-ecosystem supply chain attack named TrapDoor has distributed credential-stealing malware through npm, PyPI, and Crates.io, involving over 34 malicious packages across 384 versions. The campaign began on May 22, 2026, with packages published in waves from a cluster of sources.

  • SECURITYMay 23 · 16:35 UTCTHE HACKER NEWS
    npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks

    GitHub has introduced staged publishing on npm, requiring maintainers to approve package releases via two-factor authentication (2FA) to enhance software supply chain security. This feature aims to prevent unauthorized or malicious package distributions by mandating human verification before public installation.

  • TECHNOLOGYMay 22 · 19:49 UTCHACKER NEWS
    GitHub introduces staged publishing and new install-time controls for NPM

    GitHub has introduced staged publishing for NPM packages, allowing developers to delay public visibility until ready. New install-time controls help manage package versions and dependencies during installation, enhancing security and reliability for NPM users.

  • SECURITYMay 21 · 19:54 UTCTHE REGISTER
    Npm registry sets stage for more secure package publishing

    GitHub has implemented staged publishing for npm packages, requiring maintainer approval via two-factor authentication before packages become publicly available. This security measure aims to prevent compromised packages from poisoning the software supply chain by addressing the vulnerability of automated workflows that rely on tokens. The feature, discussed since 2020, works alongside trusted publishing using OIDC authentication to improve overall package security.

  • SECURITYMay 21 · 06:54 UTCBLEEPING COMPUTER
    GitHub links repo breach to TanStack npm supply-chain attack

    GitHub disclosed that hackers breached 3,800 internal repositories by exploiting a malicious version of the Nx Console VS Code extension, which was compromised during last week's TanStack npm supply-chain attack. The incident represents a significant security vulnerability in the software development supply chain.

  • SECURITYMay 19 · 15:28 UTCCYBERSCOOP
    Mini Shai-Hulud returns, compromising hundreds of npm packages

    A self-replicating malware campaign known as Mini Shai-Hulud has resurfaced, embedding itself across hundreds of npm packages and compromising developer environments. The threat actor behind it, TeamPCP, has been linked to earlier waves of the same campaign. The malware can spread autonomously and install persistent backdoors at the operating system level.

  • SECURITYMay 19 · 14:30 UTCBLEEPING COMPUTER
    New Shai-Hulud malware wave compromises 600 npm packages

    Threat actors published over 600 malicious packages to the Node Package Manager index as part of a new Shai-Hulud supply-chain campaign, compromising 600 npm packages. This campaign is a significant attack on the software supply chain. The attack was carried out earlier today.

  • SECURITYMay 19 · 12:58 UTCTHE REGISTER
    Shai-Hulud keeps burrowing: 314 npm packages infected after another account compromise

    An npm account compromise infected 314 npm packages with malware, including popular packages such as size-sensor and echarts-for-react. The compromised account belongs to a developer based in Hangzhou, China, and the malware has been reported on GitHub. Developers who have installed compromised package versions are advised to rotate credentials and check for unauthorized repositories.

  • SECURITYMay 19 · 05:04 UTCHACKER NEWS
    Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised

    Mini Shai-Hulud has compromised 314 npm packages, marking a significant security incident in the technology sector. The attack highlights vulnerabilities in the npm ecosystem and potential risks for developers relying on these packages. Further analysis is required to determine the full extent of the compromise.

  • SECURITYMay 19 · 04:54 UTCTHE HACKER NEWS
    Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

    Cybersecurity researchers discovered a software supply chain attack campaign compromising npm packages associated with the @antv ecosystem, affecting packages tied to the npm maintainer account atool, including echarts-for-react. The attack is part of the ongoing Mini Shai-Hulud attack wave, impacting roughly 1.1 million weekly users. This campaign compromises various npm packages.

  • SECURITYMay 18 · 22:07 UTCTHE REGISTER
    Shai-Hulud copycat worm infects yet another npm package

    A Shai-Hulud copycat worm has been found in another npm package, chalk-tempalte, which is a malicious extension of the popular JavaScript library Chalk. The poisoned package contains a clone of Shai-Hulud, which steals secrets and sends them to a remote server. Four malicious packages have been detected, with a total of 2,678 weekly downloads.

  • SECURITYMay 18 · 17:28 UTCBLEEPING COMPUTER
    Leaked Shai-Hulud malware fuels new npm infostealer campaign

    The Shai-Hulud malware has been leaked and is being used in new attacks on the Node Package Manager index, with infected packages emerging over the weekend. This malware is fueling a new npm infostealer campaign. The attacks are targeting the npm index.

  • SECURITYMay 18 · 13:50 UTCTHE HACKER NEWS
    ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More

    A mail server flaw was under active use and a network control system was targeted, resulting in poisoned trusted packages and a fake model page pushing a stealer. The pattern of exploiting weak dependencies to gain cloud access is clear. This has led to ransom claims and potential production compromises.

  • SECURITYMay 18 · 11:23 UTCTHE HACKER NEWS
    Developer Workstations Are Now Part of the Software Supply Chain

    Supply chain attackers are targeting developer workstations to steal access and secrets, including API keys and cloud credentials, with three campaigns hitting npm, PyPI, and Docker Hub in a 48-hour window. This highlights the growing risk of software supply chain attacks. The attacks targeted secrets from developer environments and CI/CD pipelines.

  • SECURITYMay 18 · 08:57 UTCTHE HACKER NEWS
    Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

    Cybersecurity researchers discovered four malicious npm packages containing information-stealing malware and DDoS malware. The packages have a total of 3006 downloads. One of the packages is a clone of the Shai-Hulud worm.

  • SECURITYMay 15 · 17:10 UTCBLEEPING COMPUTER
    Popular node-ipc npm package compromised to steal credentials

    Hackers have compromised the node-ipc npm package by injecting credential-stealing malware into its newly published versions, targeting npm in a supply chain attack. This attack aims to steal credentials from users of the popular inter-process communication package. The incident highlights a significant security risk for users relying on the package.

  • SECURITYMay 15 · 10:08 UTCTHE REGISTER
    OpenAI caught in TanStack npm supply chain chaos after employee devices compromised

    OpenAI was caught up in the TanStack npm supply chain compromise after employee devices were compromised, forcing the company to rotate signing certificates for several desktop products. The incident is part of a wider campaign targeting npm ecosystems and developer infrastructure. No customer data or production systems were compromised.

  • SECURITYMay 14 · 20:26 UTCRECORDED FUTURE NEWS
    OpenAI asks macOS users to update after TanStack npm supply chain attack

    OpenAI is asking macOS users to update due to a supply chain attack impacting TanStack and other npm and PyPI packages tied to AI companies. The attack is part of an expanding campaign affecting several AI companies. Users are being warned to take action to protect themselves.

  • SECURITYMay 14 · 19:07 UTCBLEEPING COMPUTER
    OpenAI confirms security breach in TanStack supply chain attack

    OpenAI experienced a security breach due to the TanStack supply chain attack, resulting in the compromise of two employees' devices and affecting hundreds of npm and PyPI packages. The company has rotated code-signing certificates as a precautionary measure. This incident highlights the potential risks associated with supply chain attacks.

  • SECURITYMay 12 · 12:00 UTCTHE REGISTER
    Cache-poisoning caper turns TanStack npm packages toxic

    An attacker published 84 malicious versions of TanStack npm packages, leading to credential theft and disk wipe, as part of a wave of attacks across npm and PyPI. The attack was detected within 30 minutes by StepSecurity, triggering incident response and npm deprecation. GitHub has published a security advisory with recommended actions.

  • SECURITYMay 12 · 11:29 UTCBLEEPING COMPUTER
    Shai Hulud attack ships signed malicious TanStack, Mistral npm packages

    A new Shai-Hulud supply-chain campaign has compromised hundreds of packages on npm and PyPI, delivering credential-stealing malware targeting developers. The malicious packages include TanStack and Mistral. This campaign affects developers using these packages.

  • SECURITYMay 12 · 11:07 UTCDARK READING
    Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply Chain

    A worm from TeamPCP has infected hundreds of npm packages related to the TanStack ecosystem, posing a threat to the supply chain. The self-propagating worm is capable of stealing credentials. This incident highlights a significant security risk in the open-source community.

  • TECHNOLOGYMay 12 · 00:30 UTCHACKER NEWS
    Show HN: Safe-install – safer NPM installs with trusted build dependencies

    The safe-install package provides safer NPM installs with trusted build dependencies, allowing users to disable install scripts by default and define a list of allowed dependencies. It also supports blocking exotic sub-dependencies. The package was created in response to ongoing npm supply chain compromises.

  • SECURITYMay 11 · 21:08 UTCHACKER NEWS
    TanStack NPM Packages Compromised

    TanStack's NPM packages have been compromised, as reported in an issue on the TanStack router GitHub page, with discussions also taking place on a news thread. The compromise of these packages poses potential security risks for users. Details and comments can be found through provided URLs.