CSO Online

Malicious npm packages target the n8n automation platform in a supply chain attack

Researchers discovered malicious npm packages posing as n8n integrations, exfiltrating OAuth tokens and API keys from ...
Cryptopolitan on MSN

Malicious Bitcoin npm packages spread NodeCordRAT malware before takedown

Researchers at Zscaler ThreatLabz have found three malicious Bitcoin npm packages that are meant to implant malware named ...
GitHub

GitHub - maxgfr/package-checker.sh: A lightweight shell script that scans node / bun / deno projects to detect vulnerable npm packages using OSV and GHSA vulnerabilities ...

A flexible, lightweight shell script to detect vulnerable npm packages. Includes built-in GHSA and OSV vulnerability feeds with 200,000+ vulnerabilities, or use your own custom databases. -h, --help ...
Bleeping Computer

Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

The second Shai-Hulud attack last week exposed around 400,000 raw secrets after infecting hundreds of packages in the NPM (Node Package Manager) registry and publishing stolen data in 30,000 GitHub ...
financefeeds

Shai Hulud Malware Hits 400+ JavaScript Packages in Major NPM Supply-Chain Attack

What Happened in the Shai Hulud JavaScript Attack? A major JavaScript supply-chain attack has compromised more than 400 NPM packages — including at least 10 widely used across the crypto ecosystem — ...
SecurityWeek

Tens of Thousands of Malicious NPM Packages Distribute Self-Replicating Worm

The spam campaign is likely orchestrated by an Indonesian threat actor, based on code comments and the packages’ random names. A threat actor has published tens of thousands of malicious NPM packages ...
PBS

Musk could become world's first trillionaire as Tesla shareholders approve giant pay package

NEW YORK (AP) — The world's richest man was just handed a chance to become history's first trillionaire. Elon Musk won a shareholder vote on Thursday that would give the Tesla CEO stock worth $1 ...
Infosecurity-magazine.com

Npm Malware Uses Invisible Dependencies to Infect Dozens of Packages

An ongoing npm credential harvesting campaign operating since August 2025 has been discovered by researchers at Koi Security. The malware, dubbed PhantomRaven by the researchers, is actively stealing ...
IEEE

Detecting Malicious Packages in PyPI and npm by Clustering Installation Scripts

Abstract: Software repositories such as PyPI and npm are vital for software development but expose users to serious security risks from malicious packages. The malicious packages often execute their ...
Android Authority

Thanks Hasselblad: These 15 photos might be the best I've ever taken with a phone

This week, we’ve spent some hands-on time with the upcoming OPPO Find X9 Pro flagship. It won’t be long until we can share our full initial impressions, but we can talk a bit about the new camera ...
The Hacker News

npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels

Cybersecurity researchers have identified several malicious packages across npm, Python, and Ruby ecosystems that leverage Discord as a command-and-control (C2) channel to transmit stolen data to ...