Researchers at Zscaler ThreatLabz have found three malicious Bitcoin npm packages that are meant to implant malware named ...

Researchers uncovered 27 malicious npm packages used over five months to host phishing pages that steal credentials from ...

Shai Hulud v2 infected 500+ npm packages (700+ versions) and spilled into Java/Maven — yikes. Compromised packages run a preinstall loader that downloads Bun and executes a 10MB obfuscated payload ...

The popular npm package "is" was infected with cross-platform malware, around the same time that linting utility packages used with the prettier code formatter were infected with Windows-only malware.

An ongoing npm credential harvesting campaign operating since August 2025 has been discovered by researchers at Koi Security. The malware, dubbed PhantomRaven by the researchers, is actively stealing ...

Malicious npm packages are using unique anti-evasion and targeting tactics to identify and redirect victims to cryptocurrency-themed scam websites, researchers have found. Socket Threat Research ...

Security researchers have uncovered another large-scale, coordinated attack on the npm ecosystem, using worm-like techniques to spread spam packages. Dubbed “IndonesianFoods” due to the unique naming ...

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on ...

Amazon researchers discovered more than 150,000 malicious packages in the NPM registry, in what they called "a defining moment in supply chain security." The packages were part of a token farming ...

Ethereum smart contracts used to hide URL to secondary malware payloads in an attack chain triggered by a malicious GitHub repo. Attackers behind a recent supply chain attack that involved rogue ...

Update 8/5/25: Added Toptal's statement at the end of the article, which says their investigation determined noone was impacted by this breach. Hackers compromised Toptal's GitHub organization account ...

A new strain of the Shai Hulud worm is discovered by researchers, signaling the self-propagating supply chain threat ...