CSOonline

Malicious npm packages found to create a backdoor in legitimate code

Researchers found malicious packages on the npm registry that, when installed, inject malicious code into legitimate npm packages already residing on developers’ machines. Attackers who target ...
Krebs on Security

18 Popular Code Packages Hacked, Rigged to Steal Crypto

At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved ...
heise online

Remote access Trojan found in npm package with 40,000 weekly downloads

Compromised variants of the "rand-user-agent" package have surfaced on npm, which had a remote access Trojan on board. Although the random user agent is marked as obsolete, it is still downloaded a ...
Hackaday

This Week In Security: NPM, Kerbroasting, And The Rest Of The Story

Two billion downloads per week. That’s the download totals for the NPM packages compromised in a supply-chain attack this week. Ninety-nine percent of the cloud depends on one of the packages, and one ...
Gehost op MSN

One line of malicious npm code led to massive Postmark email heist

A fake npm package posing as Postmark's MCP (Model Context Protocol) server silently stole potentially thousands of emails a day by adding a single line of code that secretly copied outgoing messages ...