#npm

[ follow ]
#malware #supply-chain-attack #phishing #credential-theft #software-supply-chain #supply-chain #cybersecurity
fromThe Hacker News
8 hours ago

Shai-Hulud v2 Campaign Spreads From npm to Maven, Exposing Thousands of Secrets

The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the "setup_bun.js" loader and the main payload "bun_environment.js." "This means the PostHog project has compromised releases in both the JavaScript/npm and Java/Maven ecosystems, driven by the same Shai Hulud v2 payload,"
Science
#malware
JavaScript
fromTheregister
4 months ago

npm phishing attack laces popular packages with malware

The npm package 'is' was infected with cross-platform malware due to a phishing attack via a typosquatted clone of the npm site.
more#malware
#supply-chain-attack
fromInfoQ
1 month ago
Information security

NPM Ecosystem Suffers Two AI-Enabled Credential Stealing Supply Chain Attacks

fromInfoQ
1 month ago
Information security

NPM Ecosystem Suffers Two AI-Enabled Credential Stealing Supply Chain Attacks

more#supply-chain-attack
fromInfoWorld
2 days ago

New Shai-Hulud worm spreading through npm, GitHub

A new version of the Shai-Hulud credentials-stealing self-propagating worm is expanding through the open npm registry, a threat that developers who download packages from the repository have to deal with immediately. Researchers at Wiz Inc. said Monday that in the early stages of the campaign late last week,a thousand new GitHub repositories containing harvested victim data were being added every 30 minutes. And researchers at JFrog identified 181 compromised packages.
Information security
#software-supply-chain
more#software-supply-chain
#supply-chain-security
fromInfoWorld
1 week ago
Information security

Worm flooding npm registry with token stealers still isn't under control

fromInfoWorld
1 week ago
Information security

Worm flooding npm registry with token stealers still isn't under control

more#supply-chain-security
fromThe Hacker News
1 week ago

Over 46,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack

The coordinated campaign has so far published as many as 46,484 packages, according to SourceCodeRED security researcher Paul McCarty, who first flagged the activity. The end goal is quite unusual - It's designed to inundate the npm registry with random packages rather than focusing on data theft or other malicious behaviors. The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFoods.
Information security
#supply-chain
fromInfoWorld
2 months ago
Information security

Wave of npm supply chain attacks exposes thousands of enterprise developer credentials

fromInfoWorld
2 months ago
Information security

Wave of npm supply chain attacks exposes thousands of enterprise developer credentials

more#supply-chain
#nodejs
Node JS
fromInfoWorld
6 months ago

Node.js 24 drops MSVC support

Node.js 24 brings significant updates to the V8 engine and NPM, crucial for JavaScript development.
more#nodejs
Information security
fromThe Hacker News
3 weeks ago

10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux

Ten malicious npm packages deliver a multi-stage information stealer using obfuscation, fake CAPTCHA, IP fingerprinting, and a 24MB PyInstaller payload targeting Windows, Linux, and macOS.
Information security
fromArs Technica
4 weeks ago

NPM flooded with malicious packages downloaded more than 86,000 times

Attackers exploited NPM's Remote Dynamic Dependencies to publish over 100 credential-stealing packages that downloaded unseen malicious code from untrusted servers.
#phishing
more#phishing
Node JS
fromSecurityWeek
2 months ago

GitHub Boosting Security in Response to NPM Supply Chain Attacks

GitHub will require two-factor authentication for local NPM publishing and deploy short-lived, granular tokens plus trusted publishing to mitigate NPM supply-chain attacks.
Information security
fromTheregister
2 months ago

GitHub to remove weak security options for npm registry

GitHub is tightening npm publishing security by removing legacy authentication, shortening token lifetimes, enforcing 2FA, and shifting to trusted publishing with short-lived tokens.
Information security
fromZDNET
2 months ago

5 ways to spot software supply chain attacks and stop worms - before it's too late

Shai-Hulud is an ongoing, widespread npm software supply-chain worm attack compromising JavaScript packages and posing a major security crisis for JavaScript developers.
Web development
from2ality
2 months ago

Learning web development: Native package managers

Install an OS package manager to get native shell commands (like curl) that npm cannot provide, enabling non-JavaScript tools for web development tasks.
Web development
from2ality
2 months ago

Learning web development: Installing npm packages and bundling

Web apps use npm libraries, tests, and a bundling build step that outputs a single bundle and follows a project file structure.
Information security
fromThe Hacker News
2 months ago

Malicious npm Packages Exploit Ethereum Smart Contracts to Target Crypto Developers

Malicious npm packages used Ethereum smart contracts to hide commands and deliver downloader malware, leveraging GitHub repositories to lure developers and evade detection.
fromBleepingComputer
4 months ago

npm 'accidentally' removes Stylus package, breaks builds and pipelines

npm has taken down all versions of the real Stylus library and replaced them with a 'security holding' page, breaking pipelines and builds worldwide that rely on the package.
Web development
Node JS
fromBleepingComputer
4 months ago

North Korean XORIndex malware hidden in 67 malicious npm packages

North Korean threat actors delivered malware through 67 malicious npm packages, affecting over 17,000 downloads.
Node JS
fromInfoQ
5 months ago

Deno 2.3 Now Supports Local NPM Packages

Deno 2.3 enhances local NPM package support and deno compile for streamlined development.
#cybersecurity
fromThe Hacker News
6 months ago
Node JS

Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials

Three malicious npm packages targeting Cursor on macOS are stealing user credentials and distributing harmful upgrades to the software.
Node JS
fromThe Hacker News
7 months ago

Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems

Three malicious npm packages disguised as a Telegram bot library have been found, containing SSH backdoors and data exfiltration functionalities.
Node JS
fromThe Hacker News
7 months ago

Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems

Three malicious npm packages disguised as a Telegram bot library have been found, containing SSH backdoors and data exfiltration functionalities.
more#cybersecurity
Node JS
fromInfoWorld
5 months ago

NPM adds Workspaces for managing multiple packages

NPM 7.0.0 introduces Workspaces and automatic peer dependency installation, streamlining package management for developers.
fromInfoWorld
1 year ago

Deno boosts dependency management with JSR

Deno 1.42 includes major updates for Node.js and NPM compatibility, enhancing modules such as async_hooks, crypto, and worker_threads for improved performance.
Node JS
Node JS
fromThe Hacker News
7 months ago

Malicious npm Package Targets Atomic Wallet, Exodus Users by Swapping Crypto Addresses

Attackers upload malicious npm packages to target crypto wallet software, enabling them to manipulate transactions covertly.
[ Load more ]