Cybernews

The 2025 npm worm that shook the software supply chain

As a worm spread through hundreds of npm packages in 2025, it didn't exploit a vulnerability – it exploited the architecture.
Ars Technica

NPM flooded with malicious packages downloaded more than 86,000 times

Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection. The finding, ...
Krebs on Security

18 Popular Code Packages Hacked, Rigged to Steal Crypto

At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved ...
Hosted on MSN

Shai-Hulud cyberattack hits over 25,000 npm projects, stealing developer credentials

A second wave of the Shai-Hulud supply-chain attack has struck the npm software ecosystem, affecting more than 25,000 projects and hundreds of developers, Israeli tech firm Sola Security announced on ...