All CosmicBytez Labs articles tagged #npm, across news, security advisories, how-to guides, and projects.
Checkmarx researchers uncovered ViteVenom — seven malicious npm packages impersonating the Vite ecosystem that use blockchain-based command-and-control infrastructure to deploy a remote access trojan. The campaign is an expansion of the ChainVeil threat actor.
The popular jscrambler npm package was hijacked in version 8.14.0, silently dropping and executing a cross-platform Rust-based infostealer via a malicious...
The PolinRider campaign has compromised more than 100 legitimate open source packages and repositories to deliver a backdoor and information stealer...
Palo Alto Networks Unit 42 queried AI models 685,000+ times and found they hallucinate 2.1 million plausible-but-fake domains — attackers are now...
JFrog researchers attribute a fresh npm supply chain campaign to North Korea's Lazarus Group. Malicious packages impersonating Rollup polyfill tooling...
Threat actors linked to North Korea's Contagious Interview campaign have published 108 malicious packages and browser extensions across npm, Packagist,...
Attackers poisoned at least 18 npm and Go packages with a novel technique: hiding malware in .vscode/tasks.json auto-run tasks, bypassing npm v12's...
The Miasma supply chain malware family — an evolution of Mini Shai-Hulud and linked to the Hades worm — has compromised hundreds of npm packages, abused...
All versions of the expr-eval JavaScript package are vulnerable to remote code execution through the toJSFunction() API. Crafted expressions escape the...
Microsoft has attributed a 88-minute automated supply chain attack against 142 Mastra AI npm packages — with over 1.1 million combined weekly downloads —...
TeamPCP's remarkable success attacking open-source software was no accident — it exploited a cultural vulnerability baked into modern development: the...
A supply chain attack dubbed easy-day-js has compromised 144 npm packages in the @mastra/* namespace by hijacking a contributor account for the popular...
IronWorm, a self-propagating supply chain worm written in Rust, is targeting npm developers to steal credentials and reuse them to spread across the...
NPM 12 will disable dependency install scripts by default, requiring explicit opt-in—a major shift targeting the supply chain attack vector exploited...
GitHub has announced that npm version 12 will disable install scripts by default as a breaking change aimed at combating software supply chain attacks...
Six critical flaws in protobuf.js — the JavaScript/TypeScript Protocol Buffers library — can lead to remote code execution and denial-of-service in...
Two distinct malware campaigns have hit the npm ecosystem simultaneously — IronWorm deploys a Rust-based infostealer via 50+ poisoned packages, while a new…
An AI-generated ransomware toolkit automates EDR evasion; Windows Netlogon RCE is actively exploited on domain controllers; the Miasma campaign hits Red Hat…
A new Mini Shai-Hulud supply chain campaign codenamed Miasma has compromised Red Hat's @redhat-cloud-services npm packages, deploying a self-propagating…
Cybersecurity researchers have uncovered a malicious npm package named codexui-android that targets developers using OpenAI Codex by masquerading as a…
TeamPCP's Shai-Hulud worm inflicted serious damage on the open source ecosystem — but a close look at their operations raises the question of whether their.
Grafana confirmed attackers stole internal source code and data after a GitHub token compromised in the TanStack npm supply chain attack was never...
GitHub has rolled out new security controls for npm including staged publishing with 2FA approval requirements and package install policies, giving...
GitHub has confirmed that hackers who stole 3,800 internal repositories gained access through a malicious version of the Nx Console VS Code extension...
Supply chain security startup Socket has raised $60 million in a new funding round, valuing the company at $1 billion. The capital will expand Socket's...
GitHub is investigating unauthorized access to thousands of internal repositories after an employee device was compromised through the TanStack npm supply...
Grafana Labs has revealed that its May 2026 source code breach was caused by a single GitHub workflow token that was inadvertently missed during the token...
Cybersecurity researchers have discovered a fresh Mini Shai-Hulud supply chain attack compromising the @antv npm ecosystem through a hijacked maintainer...
Supply chain attackers are no longer just targeting repositories and CI/CD pipelines — they're going after the developer workstations that hold the keys...
Researchers have uncovered four malicious npm packages embedding infostealer malware and a Phantom Bot DDoS payload — one of which is a direct clone of...
The public release of the Shai-Hulud worm source code by TeamPCP has triggered a wave of copycat variants appearing across the npm ecosystem. Security...
Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication npm package, in a new...
OpenAI has disclosed that two corporate employee devices were compromised via the Mini Shai-Hulud supply chain attack on the TanStack npm ecosystem,...
The hacking group TeamPCP has publicly released the source code for its Shai-Hulud supply chain worm, actively encouraging other threat actors to...
OpenAI is urging macOS users to update their software following an expanding supply chain attack that compromised TanStack and additional npm and PyPI...
OpenAI confirmed that two employees' devices were compromised during the TanStack supply chain attack, which hit hundreds of npm and PyPI packages. The...
TeamPCP has expanded its supply chain attack campaign with a fresh Mini Shai-Hulud worm that compromised npm and PyPI packages from TanStack, UiPath,...
Hundreds of npm packages in the TanStack open source ecosystem have been infected by a fresh wave of Mini Shai-Hulud worm activity from TeamPCP — the same...
The TeamPCP threat group's Mini Shai-Hulud supply chain campaign compromised SAP-related npm packages along with PyTorch Lightning and Intercom client...
The threat actor TeamPCP has compromised multiple npm packages tied to SAP's cloud application development ecosystem in a new supply chain campaign dubbed...
Security researchers have uncovered a coordinated supply chain attack campaign dubbed 'mini Shai-H' targeting SAP-related npm packages, injecting...
The popular Bitwarden CLI password manager package @bitwarden/cli@2026.4.0 was compromised as part of an ongoing Checkmarx supply chain campaign, with...
A critical remote code execution vulnerability in the simple-git npm package allows attackers to inject arbitrary git config options via the --config...
A newly discovered supply chain attack targeting the npm ecosystem steals developer authentication tokens and uses compromised accounts to publish...
The North Korean supply chain attack on Axios — a JavaScript library with 100 million weekly downloads — highlights why human-scale monitoring can no...
A critical remote code execution vulnerability in protobuf.js, the widely used JavaScript implementation of Google's Protocol Buffers, has been disclosed...
A critical access control bypass (CVSS 9.4) in the @delmaredigital/payload-puck PayloadCMS plugin exposes all /api/puck/* CRUD endpoints without...
Cybersecurity researchers discovered 36 malicious npm packages disguised as Strapi CMS plugins that abused Redis and PostgreSQL connections to harvest...
The Axios HTTP client post-mortem reveals North Korean threat actors used a ClickFix-style fake Microsoft Teams error message to socially engineer a...
The North Korean threat actor UNC1069 used a sophisticated, targeted social engineering campaign against the Axios npm package maintainer Jason Saayman to...
The accidental exposure of Anthropic's Claude Code source code via an npm packaging error is the latest reminder that software supply chains need...
A long-lived NPM access token was used to bypass the GitHub Actions OIDC-based CI/CD publishing workflow and push backdoored versions of the widely used...
Anthropic confirmed that internal source code for its Claude Code AI coding assistant was accidentally published to npm due to a human packaging error. No...
Google's Threat Intelligence Group has formally attributed the supply chain compromise of the popular Axios npm package to UNC1069, a financially...
Security researchers at multiple firms are sounding alarms over a supply chain attack against Axios, an npm package with 100 million weekly downloads....
Two newly published versions of the widely used Axios HTTP client library — v1.14.1 and v0.30.4 — were found to contain a malicious fake dependency that...
Anthropic accidentally published the source code for Claude Code — its normally closed-source AI coding assistant — inside an npm package. The company...
The Axios npm library was weaponized to deliver a cross-platform RAT; Anthropic accidentally leaked Claude Code's CLI source in an npm package; Google...
A critical flaw in jsrsasign versions 7.0.0 through 11.1.0 allows attackers to recover DSA private keys by exploiting biased nonce generation in the...
A novel self-propagating malware dubbed CanisterWorm uses Internet Computer Protocol smart contracts as an untakedownable C2 channel, spreading...
Threat actor UNC6426 leveraged stolen credentials from last year's nx npm supply chain attack to achieve full AWS administrator access at a victim...
North Korea's Lazarus Group is running a fake recruitment campaign codenamed Graphalgo, planting 192 malicious packages on npm and PyPI that target...
Security researchers have discovered malicious code injected into several popular NPM packages with millions of weekly downloads. Developers urged to...