Sometime around the last week of May 2026, attackers uploaded poisoned packages to three of the most widely used software registries on the internet within a span of roughly 48 hours. The targets were ...
Security researchers have uncovered two new malicious packages on the npm open source package manager that utilized GitHub to store stolen Base64-encrypted SSH keys taken from developer systems. These ...
Since 2017, hackers have been able to mimic legitimate packages on Node Package Manager (npm) by simply removing the capital letters in their titles. According to newly published research from ...
Twenty malicious packages impersonating the Hardhat development environment used by Ethereum developers are targeting private keys and other sensitive data. Collectively, the malicious packages have ...
A stream of malicious npm and PyPi packages have been found stealing a wide range of sensitive data from software developers on the platforms. The campaign started on September 12, 2023, and was first ...
Security companies flagged axios@1.14.1 and 0.30.4 as compromised, urging credential rotation and rollback of affected packages. Update March 31, 2026, 1:28 pm UTC: This article has been updated to ...
A new cyber threat, the "Shai-Hulud" worm, has compromised the Node Package Manager (npm) ecosystem, which is widely used by organizations for JavaScript development. This attack has resulted in ...