Security News

Over 800 npm Packages Found with Discrepancies, 18 Exploit 'Manifest Confusion'
2024-03-21 14:26

New research has discovered over 800 packages in the npm registry which have discrepancies from their registry entries, out of which 18 have been found to exploit a technique called manifest...

North Korean Hackers Targeting Developers with Malicious npm Packages
2024-02-26 12:27

A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show. The packages are named...

Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub
2024-01-23 14:19

Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed. The...

Npm Trojan Bypasses UAC, Installs AnyDesk with "Oscompatible" Package
2024-01-19 07:42

A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines. The package, named "oscompatible," was published on...

'everything' blocks devs from removing their own npm packages
2024-01-04 09:55

Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of npm's policy. Everything prevents you from unpublishing your packages.

Blockchain dev's wallet emptied in "job interview" using npm package
2023-12-28 11:25

A blockchain developer shares his ordeal over the holidays when he was approached on LinkedIn by a "Recruiter" for a web development job. The recruiter in question asked the developer to download npm packages from a GitHub repository, and hours later the developer discovered his MetaMask wallet had been emptied.

48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems
2023-11-03 06:03

A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. "These packages, deceptively named to appear...

Rogue npm Package Deploys Open-Source Rootkit in New Supply Chain Attack
2023-10-04 11:16

A new deceptive package hidden within the npm package registry has been uncovered deploying an open-source rootkit called r77, marking the first time a rogue package has delivered rootkit...

Over 3 Dozen Data-Stealing Malicious npm Packages Found Targeting Developers
2023-10-03 14:59

Nearly three dozen counterfeit packages have been discovered in the npm package repository that are designed to exfiltrate sensitive data from developer systems, according to findings from...

SSH keys stolen by stream of malicious PyPI and npm packages
2023-09-27 21:48

A stream of malicious npm and PyPi packages have been found stealing a wide range of sensitive data from software developers on the platforms. The campaign started on September 12, 2023, and was first discovered by Sonatype, whose analysts unearthed 14 malicious packages on npm.