A typosquatted npm package named “@acitons/artifact” impersonated the legitimate “@actions/artifact” to exploit GitHub's CI/CD workflows. It stole tokens from build environments and published malicious artifacts, highlighting vulnerabilities in supply chain security.

Socket has launched a Threat Intel page that tracks ongoing supply chain attack campaigns affecting open-source packages. The new feature helps teams quickly determine if they are impacted by these coordinated attacks and provides context for affected packages.

A coordinated effort has released over 67,000 fake npm packages since early 2024, aimed at flooding the registry rather than stealing data. The malicious packages use JavaScript scripts that require manual execution to propagate, creating a self-replicating network that burdens the platform. Researchers link this activity to a monetization scheme involving TEA tokens.

The article discusses a method for securely managing package releases using a "valet key" approach. It outlines how to grant limited access to release tokens while ensuring a clear approval process and full audit trails, ultimately reducing the risk of supply-chain attacks.

This article outlines key security measures for npm maintainers in response to recent attacks, including the Shai-Hulud incident. It emphasizes using trusted publishing, enforcing two-factor authentication, and adopting WebAuthn for better account protection. These steps aim to strengthen the overall security of the npm ecosystem.

npm is implementing a staged publishing model to add a review step before packages go live, following a series of supply chain attacks in 2025. This change aims to give maintainers a chance to catch malicious or unintended changes before they are published. The new process requires multi-factor authentication for approval during the staging period.

safe-npm is a tool that helps protect projects from compromised npm packages by only allowing the installation of versions that are at least 90 days old. This approach provides time for the security community to identify and address malicious updates. It offers various features for managing dependencies while prioritizing safety.

This tool, called "undelete," allows users to recover packages removed from NPM and PyPI by querying secondary mirrors that might still have cached versions. It also retrieves package metadata, which is helpful for security researchers investigating malicious deletions. The command-line utility requires Node.js 14 or higher.

Researchers found that open source packages on npm and PyPI were infected with malware that stole wallet credentials from dYdX developers and users. The malicious code captured seed phrases and device fingerprints, leading to potential irreversible theft of cryptocurrency. The attack affected multiple versions of the compromised packages.

A serious security vulnerability in the "@react-native-community/cli" npm package allowed attackers to execute arbitrary OS commands on development servers. The flaw, tracked as CVE-2025-11953, was patched in version 20.0.0 after being discovered by JFrog's security team. Developers using affected versions are at risk if they run the Metro development server.

This article details a significant npm supply chain attack that compromised an engineer's credentials, allowing unauthorized access to multiple repositories. The attacker cloned 669 repositories and closed numerous pull requests before being detected and removed from the GitHub organization. Thankfully, published packages remained secure throughout the incident.

This article details how ten malicious npm packages use typosquatting techniques to execute credential harvesting malware on developers' systems. It describes the multi-stage process, including automatic execution, IP tracking, and extensive data extraction methods targeting various operating systems.

On November 24, 2025, over 1,000 NPM packages were compromised using a fake Bun runtime, leading to the infection of more than 27,000 GitHub repositories. The malicious code steals sensitive information and exfiltrates it via a GitHub Action runner. This incident appears to be linked to a previous attack identified as "Shai-Hulud."

This article outlines recent npm security breaches and provides a checklist for securing npm publish workflows. It emphasizes the importance of using granular npm tokens, 2FA, and trusted publishers to minimize risks from compromised credentials.

The lotusbail npm package masquerades as a legitimate WhatsApp API library but contains sophisticated malware that steals user credentials, messages, and contacts. It captures data by intercepting communications and uses custom encryption to evade detection. Even after uninstalling the package, attackers retain access to compromised accounts.

Security flaws in npm's defenses against supply-chain attacks allow hackers to bypass protections through Git dependencies. Although other package managers have patched their vulnerabilities, npm rejected a vulnerability report from Koi Security, claiming users must vet package content themselves.

The article discusses a recent supply chain attack targeting the npm ecosystem, which compromised the Shai Hulud package. It highlights the implications of such attacks on software security, emphasizing the need for vigilance in managing dependencies and securing the software supply chain.

The article discusses a major npm supply chain hack affecting the eslint-config-prettier package, highlighting the risks associated with third-party dependencies in software development. It emphasizes the importance of securing package management ecosystems to prevent similar vulnerabilities in the future.

Malicious npm packages are utilizing the Ethereum blockchain to facilitate malware delivery, raising concerns about the security of the JavaScript package ecosystem. These packages exploit vulnerabilities to deliver harmful code, leveraging blockchain technologies to obfuscate their operations and evade detection. Developers are urged to exercise caution and implement protective measures against such threats.

npq is a tool designed to audit npm packages before installation, enhancing security by checking for vulnerabilities, package age, download counts, and other criteria. It integrates seamlessly with npm and can be used with other package managers by specifying environment variables, thus ensuring a safer installation process for developers. However, it is important to note that no tool can guarantee absolute safety from malicious packages.

A malicious update in the npm package postmark-mcp introduced a backdoor that silently exfiltrates emails from users to an external server, highlighting severe vulnerabilities in the trust model of MCP servers used by AI assistants. With over 1,500 weekly downloads, developers unknowingly handed over complete email control to a compromised tool, raising alarms about the security of tools integrated into enterprise workflows. Immediate action is required to remove the malicious package and audit other MCP servers for similar risks.

A recent supply chain attack has compromised several npm packages, allowing the distribution of backdoor malware. This incident highlights vulnerabilities in the software supply chain, emphasizing the need for enhanced security measures in package management systems.

Pastoralist is a command-line tool designed to automate the tracking and management of security dependency issues in npm projects, including overrides and resolutions. It helps developers manage dependency versions, detect security vulnerabilities, and clean up unneeded overrides, ultimately simplifying package management in both monorepo and single-package scenarios. The tool provides various commands for scanning, fixing vulnerabilities, and maintaining an organized appendix of dependency information.

A report has revealed that 40 npm packages have been compromised as part of a supply chain attack, exposing vulnerabilities that could potentially affect thousands of projects. The malicious packages were designed to steal sensitive data and create backdoors for attackers, highlighting the ongoing risks in open-source software ecosystems. Developers are urged to review their dependencies and ensure they are not using affected packages.

A recent NPM supply chain attack involving a self-propagating worm called Shai-Hulud has highlighted the vulnerability of package registries like NPM. Sysdig's Threat Intelligence Feed offers real-time insights into these threats, enabling organizations to quickly assess their exposure and respond effectively. By monitoring malicious NPM packages, Sysdig aids security teams in identifying risks and taking action promptly.

Researchers discovered 60 malicious packages on NPM designed to collect sensitive host and network information, sending it to a Discord webhook. These packages, which were uploaded under misleading names, posed a significant risk for targeted network attacks, and although reported, some remained available for download at the time of writing. Additionally, another campaign involved eight typosquatting packages capable of deleting files and corrupting data, which had been present on NPM for two years.

The article discusses the vulnerabilities in the npm supply chain and emphasizes the importance of securing software dependencies. It highlights insights from industry expert Brian Fox on how to mitigate risks associated with open-source components. The piece advocates for better practices and tools to enhance security in software development.

Researchers from Safety have discovered infostealer malware targeting Russian cryptocurrency developers through npm packages designed to appear legitimate. These malicious packages, which aim to extract sensitive information such as cryptocurrency credentials, are linked to servers in the USA, raising suspicions of state-sponsored activity against Russia's ransomware operators. Developers in the Solana ecosystem are advised to secure their software supply chains to mitigate these threats.

GitHub outlines its strategy to enhance the security of the npm supply chain, focusing on improving the safety of open-source software dependencies. The plan includes implementing better verification processes and tools to mitigate risks associated with malicious packages and vulnerabilities.

A critical security alert was issued regarding 18 widely-used npm packages that were compromised to include malicious code, which secretly intercepted crypto and web3 activities in users' browsers. The affected packages, including popular ones like "chalk" and "debug," collectively accounted for over 2 billion downloads weekly. Users are advised to utilize Aikido's safe-chain to avoid such vulnerabilities.

The article discusses the escalating risks associated with NPM supply chain attacks, highlighting Microsoft's role as a "bad actor" in software security. It reflects on past incidents and emphasizes the need for better security measures in the software ecosystem to prevent exploitation by malicious actors.

Recent updates to Node.js have integrated many features that previously required third-party npm packages, enhancing security, reducing dependency bloat, and simplifying application maintenance. Notable replacements include global functions like fetch() and WebSocket, as well as built-in testing and database functionalities. This evolution encourages developers to leverage core capabilities while considering tools like N|Solid for monitoring and optimization.

Multiple DuckDB-related npm packages were compromised, including duckdb and its associated modules, which contained malicious code aimed at draining crypto wallets. The attack mirrors previous incidents of phishing in the npm ecosystem, leading to the vendor marking the latest release as deprecated and issuing an advisory on GitHub.

The npm author Qix was targeted in a significant supply chain attack through a phishing email that spoofed npm branding, tricking the author into compromising their account. Malicious code was introduced into several packages, redirecting cryptocurrency transactions to the attacker's addresses, highlighting the persistent threat of phishing in the open-source ecosystem.

The article discusses the various risks associated with using npm (Node Package Manager) for managing JavaScript packages, including issues related to security vulnerabilities, dependency management, and the impact of unmaintained packages. It emphasizes the importance of being vigilant and proactive in assessing the risks that come with third-party dependencies in software development.

The article discusses the discovery of backdoors in various Python npm packages, highlighting the security risks posed to both Windows and Linux systems. It emphasizes the need for developers and users to be vigilant when using third-party packages, as malicious code can lead to significant vulnerabilities.

The repository consolidates best practices for securing NPM, bun, deno, pnpm, and yarn environments against common vulnerabilities such as supply-chain attacks and malware. It emphasizes the importance of controlling dependency versions, using configuration options to enhance security, and leveraging built-in permission models to safeguard applications during runtime. Additionally, it provides guidance on tools and techniques for auditing and managing packages effectively.

The article discusses how Cloudflare's client-side security, particularly its Page Shield feature, effectively mitigated the risks posed by a recent npm supply chain attack where malicious code was injected into popular JavaScript packages. The advanced machine learning algorithms employed by Cloudflare allowed for rapid detection and prevention of potential crypto theft, ensuring the safety of users' applications against such vulnerabilities.