Any development environment that installed or imported one of the 172 compromised npm or PyPI packages published since May 11 should be treated as potentially compromised. On affected developer ...
Attackers stole a long-lived npm access token belonging to the lead maintainer of axios, the most popular HTTP client library in JavaScript, and used it to publish two poisoned versions that install a ...
Hosted on MSN
NPM packages are infected with malware, again
Shai Hulud v2 infected 500+ npm packages (700+ versions) and spilled into Java/Maven — yikes. Compromised packages run a preinstall loader that downloads Bun and executes a 10MB obfuscated payload ...
A npm supply chain attack named Miasma compromised 32 official packages under Red Hat's @redhat-cloud-services namespace on June 1, 2026, injecting a self-propagating credential-stealing worm that ...
A popular npm package for OpenAI Codex with 29,000 weekly downloads has been stealing developer authentication tokens for a month. The same credential-theft chain also ran through two Android apps ...
Some results have been hidden because they may be inaccessible to you
Show inaccessible results