Compromised dYdX npm and PyPI packages delivered wallet-stealing malware and a RAT via poisoned updates in a software supply chain attack.

A researcher at Koi Security says the two key platforms have not plugged the vulnerabilities enabling the worm attacks, and ‘the JavaScript ecosystem deserves better.’ ...

What Happened in the Shai Hulud JavaScript Attack? A major JavaScript supply-chain attack has compromised more than 400 NPM packages — including at least 10 widely used across the crypto ecosystem — ...

A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input. The ...

Threat actors used automation to create over 175 malicious NPM packages targeting more than 135 organizations. Threat actors are abusing legitimate NPM infrastructure in a new phishing campaign that ...

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on ...

What the Script: Supply chain attacks are traditionally designed to inflict maximum damage on structured organizations or companies. However, when such an attack compromises a supply chain that an ...

NPM developer qix's account compromise potentially puts user funds at risk by compromising library dependencies used by bitcoin wallets. A major NPM developer, qix, has had their account compromised.

The breach hit core JavaScript libraries such as chalk and strip-ansi, downloaded billions of times each week, raising alarms over the security of open-source software. Hackers have compromised widely ...

At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved ...