Threat actors compromised AsyncAPI packages and weaponized trusted CI/CD workflows to distribute malware through npm. This ...
Lazarus Group concealed a four-module remote access toolkit inside six fake npm Rollup polyfill packages that fired at import time — not install time — evading npm v12’s script-blocking defaults and ...
Hackers compromised the Injective Labs SDK project's GitHub repository and used it to publish a malicious package on the Node ...
JFrog finds 148 npm proxy packages turned student browsers into a DDoS botnet, while a mutable loader lets operators re-arm ...
JavaScript engineering teams have a shrinking window to prepare: npm v12, the package manager's most significant security redesign in its 16-year history, is expected to reach final release before the ...
A malicious npm package has been caught impersonating one of the JavaScript ecosystem's most widely used build tools. The lookalike package hid a multi-stage Windows remote access trojan (RAT) in a ...
Telegram Serverless lets developers deploy bot backends on Telegram's own infrastructure with a single tgcloud command, but ...
Installing a piece of code from NPM will no longer auto-run malware on the system, and won’t quietly pull malicious code from external repos unless the developer explicitly allows it. But this won’t ...
Five malicious versions of AsyncAPI packages were published to the Node Package Manager (npm) in a supply-chain attack that ...