Security News

Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers. [...]

The developers of Rspack have revealed that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack that allowed a malicious actor to publish...

Threat actors have been observed uploading malicious typosquats of legitimate npm packages such as typescript-eslint and @types/node that have racked up thousands of downloads on the package...

Damage likely limited to those running bots with private key access Malware-poisoned versions of the widely used JavaScript library @solana/web3.js were distributed via the npm package registry,...

Cybersecurity researchers are alerting to a software supply chain attack targeting the popular @solana/web3.js npm library that involved pushing two malicious versions capable of harvesting users'...

Cybersecurity researchers have discovered a software supply chain attack that has remained active for over a year on the npm package registry by starting off as an innocuous library and later...

A new campaign has targeted the npm package repository with malicious JavaScript libraries that are designed to infect Roblox users with open-source stealer malware such as Skuld and...

Puppeteer or Pupeter? One of them will snoop around on your machine and steal your credentials An ongoing typosquatting campaign is targeting developers via hundreds of popular JavaScript...

An ongoing campaign is targeting npm developers with hundreds of typosquat versions of their legitimate counterparts in an attempt to trick them into running cross-platform malware. The attack is...

LottieFiles has revealed that its npm package "lottie-player" was compromised as part of a supply chain attack, prompting it to release an updated version of the library. "On October 30th ~6:20 PM...