Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1941+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
All tags
63 articles

#npm

All CosmicBytez Labs articles tagged #npm, across news, security advisories, how-to guides, and projects.

  • NewsJul 17, 2026

    Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT

    Checkmarx researchers uncovered ViteVenom — seven malicious npm packages impersonating the Vite ecosystem that use blockchain-based command-and-control infrastructure to deploy a remote access trojan. The campaign is an expansion of the ChainVeil threat actor.

  • NewsJul 11, 2026

    Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

    The popular jscrambler npm package was hijacked in version 8.14.0, silently dropping and executing a cross-platform Rust-based infostealer via a malicious...

  • NewsJul 6, 2026

    North Korean Hackers Target Open Source Developers in Supply Chain Attacks

    The PolinRider campaign has compromised more than 100 legitimate open source packages and repositories to deliver a backdoor and information stealer...

  • NewsJul 5, 2026

    'Phantom Squatting': An Emerging AI-Driven Supply Chain Threat

    Palo Alto Networks Unit 42 queried AI models 685,000+ times and found they hallucinate 2.1 million plausible-but-fake domains — attackers are now...

  • NewsJul 4, 2026

    North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

    JFrog researchers attribute a fresh npm supply chain campaign to North Korea's Lazarus Group. Malicious packages impersonating Rollup polyfill tooling...

  • NewsJul 4, 2026

    North Korean Hackers Publish 108 Malicious Packages in PolinRider Campaign

    Threat actors linked to North Korea's Contagious Interview campaign have published 108 malicious packages and browser extensions across npm, Packagist,...

  • NewsJun 29, 2026

    Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer

    Attackers poisoned at least 18 npm and Go packages with a novel technique: hiding malware in .vscode/tasks.json auto-run tasks, bypassing npm v12's...

  • NewsJun 26, 2026

    Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

    The Miasma supply chain malware family — an evolution of Mini Shai-Hulud and linked to the Hades worm — has compromised hundreds of npm packages, abused...

  • SecurityJun 23, 2026

    CVE-2026-12866: expr-eval npm Package Enables Arbitrary Code Execution via toJSFunction()

    All versions of the expr-eval JavaScript package are vulnerable to remote code execution through the toJSFunction() API. Crafted expressions escape the...

  • NewsJun 21, 2026

    Microsoft Links Mastra AI Supply Chain Attack to North Korean Hackers

    Microsoft has attributed a 88-minute automated supply chain attack against 142 Mastra AI npm packages — with over 1.1 million combined weekly downloads —...

  • NewsJun 21, 2026

    How Software Development's Speed Obsession Enabled TeamPCP's Chaos Crusade

    TeamPCP's remarkable success attacking open-source software was no accident — it exploited a cultural vulnerability baked into modern development: the...

  • NewsJun 17, 2026

    144 Mastra npm Packages Compromised via Hijacked Contributor Account

    A supply chain attack dubbed easy-day-js has compromised 144 npm packages in the @mastra/* namespace by hijacking a contributor account for the popular...

  • NewsJun 14, 2026

    Rust-Written IronWorm Hits NPM Supply Chain

    IronWorm, a self-propagating supply chain worm written in Rust, is targeting npm developers to steal credentials and reuse them to spread across the...

  • NewsJun 13, 2026

    NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks

    NPM 12 will disable dependency install scripts by default, requiring explicit opt-in—a major shift targeting the supply chain attack vector exploited...

  • NewsJun 11, 2026

    GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

    GitHub has announced that npm version 12 will disable install scripts by default as a breaking change aimed at combating software supply chain attacks...

  • NewsJun 10, 2026

    Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS

    Six critical flaws in protobuf.js — the JavaScript/TypeScript Protocol Buffers library — can lead to remote code execution and denial-of-service in...

  • NewsJun 5, 2026

    IronWorm and New Miasma Worm Variant Hit npm in Coordinated Supply Chain Attacks

    Two distinct malware campaigns have hit the npm ecosystem simultaneously — IronWorm deploys a Rust-based infostealer via 50+ poisoned packages, while a new…

  • NewsletterJun 3, 2026

    June 3 Digest: AI Ransomware, Netlogon RCE, Miasma Supply Chain

    An AI-generated ransomware toolkit automates EDR evasion; Windows Netlogon RCE is actively exploited on domain controllers; the Miasma campaign hits Red Hat…

  • NewsJun 1, 2026

    Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

    A new Mini Shai-Hulud supply chain campaign codenamed Miasma has compromised Red Hat's @redhat-cloud-services npm packages, deploying a self-propagating…

  • NewsJun 1, 2026

    OpenAI Codex Authentication Tokens Stolen via codexui-android npm Supply Chain Attack

    Cybersecurity researchers have uncovered a malicious npm package named codexui-android that targets developers using OpenAI Codex by masquerading as a…

  • NewsMay 26, 2026

    The Hackers Behind Shai-Hulud: Lucky or Skilled?

    TeamPCP's Shai-Hulud worm inflicted serious damage on the open source ecosystem — but a close look at their operations raises the question of whether their.

  • NewsMay 23, 2026

    Grafana Says Codebase and Other Data Stolen via TanStack

    Grafana confirmed attackers stole internal source code and data after a GitHub token compromised in the TanStack npm supply chain attack was never...

  • NewsMay 23, 2026

    npm Adds 2FA-Gated Publishing and Package Install Controls

    GitHub has rolled out new security controls for npm including staged publishing with 2FA approval requirements and package install policies, giving...

  • NewsMay 21, 2026

    GitHub Links Repo Breach to TanStack npm Supply-Chain Attack

    GitHub has confirmed that hackers who stole 3,800 internal repositories gained access through a malicious version of the Nx Console VS Code extension...

  • NewsMay 21, 2026

    Socket Raises $60 Million at $1 Billion Valuation

    Supply chain security startup Socket has raised $60 million in a new funding round, valuing the company at $1 billion. The capital will expand Socket's...

  • NewsMay 20, 2026

    GitHub Breached — Employee Device Hack Led to Exfiltration

    GitHub is investigating unauthorized access to thousands of internal repositories after an employee device was compromised through the TanStack npm supply...

  • NewsMay 20, 2026

    Grafana Breach Caused by Missed Token Rotation After

    Grafana Labs has revealed that its May 2026 source code breach was caused by a single GitHub workflow token that was inadvertently missed during the token...

  • NewsMay 19, 2026

    Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

    Cybersecurity researchers have discovered a fresh Mini Shai-Hulud supply chain attack compromising the @antv npm ecosystem through a hijacked maintainer...

  • NewsMay 18, 2026

    Developer Workstations Are Now Part of the Software Supply

    Supply chain attackers are no longer just targeting repositories and CI/CD pipelines — they're going after the developer workstations that hold the keys...

  • NewsMay 18, 2026

    Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

    Researchers have uncovered four malicious npm packages embedding infostealer malware and a Phantom Bot DDoS payload — one of which is a direct clone of...

  • NewsMay 18, 2026

    Shai-Hulud Worm Clones Spread After Code Release

    The public release of the Shai-Hulud worm source code by TeamPCP has triggered a wave of copycat variants appearing across the npm ecosystem. Security...

  • NewsMay 15, 2026

    Popular node-ipc npm Package Compromised to Steal

    Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication npm package, in a new...

  • NewsMay 15, 2026

    TanStack Supply Chain Attack Hits Two OpenAI Employee

    OpenAI has disclosed that two corporate employee devices were compromised via the Mini Shai-Hulud supply chain attack on the TanStack npm ecosystem,...

  • NewsMay 15, 2026

    TeamPCP Ups the Game, Releases Shai-Hulud Worm's Source Code

    The hacking group TeamPCP has publicly released the source code for its Shai-Hulud supply chain worm, actively encouraging other threat actors to...

  • NewsMay 14, 2026

    OpenAI Asks macOS Users to Update After TanStack npm Supply

    OpenAI is urging macOS users to update their software following an expanding supply chain attack that compromised TanStack and additional npm and PyPI...

  • NewsMay 14, 2026

    OpenAI Confirms Security Breach in TanStack Supply Chain

    OpenAI confirmed that two employees' devices were compromised during the TanStack supply chain attack, which hit hundreds of npm and PyPI packages. The...

  • NewsMay 12, 2026

    Mini Shai-Hulud Worm Compromises TanStack, Mistral AI

    TeamPCP has expanded its supply chain attack campaign with a fresh Mini Shai-Hulud worm that compromised npm and PyPI packages from TanStack, UiPath,...

  • NewsMay 12, 2026

    Worm Redux: Fresh Mini Shai-Hulud Infections Bite npm

    Hundreds of npm packages in the TanStack open source ecosystem have been infected by a fresh wave of Mini Shai-Hulud worm activity from TeamPCP — the same...

  • NewsMay 1, 2026

    1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, and Intercom

    The TeamPCP threat group's Mini Shai-Hulud supply chain campaign compromised SAP-related npm packages along with PyTorch Lightning and Intercom client...

  • NewsApr 30, 2026

    TeamPCP Hits SAP npm Packages With 'Mini Shai-Hulud' Supply

    The threat actor TeamPCP has compromised multiple npm packages tied to SAP's cloud application development ecosystem in a new supply chain campaign dubbed...

  • NewsApr 29, 2026

    SAP-Related npm Packages Compromised in Credential-Stealing

    Security researchers have uncovered a coordinated supply chain attack campaign dubbed 'mini Shai-H' targeting SAP-related npm packages, injecting...

  • NewsApr 26, 2026

    Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain

    The popular Bitwarden CLI password manager package @bitwarden/cli@2026.4.0 was compromised as part of an ongoing Checkmarx supply chain campaign, with...

  • SecurityApr 25, 2026

    CVE-2026-6951: simple-git RCE via --config Option Bypass

    A critical remote code execution vulnerability in the simple-git npm package allows attackers to inject arbitrary git config options via the --config...

  • NewsApr 22, 2026

    New npm Supply Chain Attack Self-Spreads to Steal Developer

    A newly discovered supply chain attack targeting the npm ecosystem steals developer authentication tokens and uses compromised accounts to publish...

  • NewsApr 20, 2026

    Why the Axios Attack Proves AI Is Mandatory for Supply

    The North Korean supply chain attack on Axios — a JavaScript library with 100 million weekly downloads — highlights why human-scale monitoring can no...

  • NewsApr 18, 2026

    Critical Flaw in protobuf.js Library Enables JavaScript

    A critical remote code execution vulnerability in protobuf.js, the widely used JavaScript implementation of Google's Protocol Buffers, has been disclosed...

  • SecurityApr 8, 2026

    CVE-2026-39397: PayloadCMS Puck Plugin Access Control Bypass

    A critical access control bypass (CVSS 9.4) in the @delmaredigital/payload-puck PayloadCMS plugin exposes all /api/puck/* CRUD endpoints without...

  • NewsApr 5, 2026

    36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

    Cybersecurity researchers discovered 36 malicious npm packages disguised as Strapi CMS plugins that abused Redis and PostgreSQL connections to harvest...

  • NewsApr 4, 2026

    Axios npm Hack Used Fake Teams Error Fix to Hijack

    The Axios HTTP client post-mortem reveals North Korean threat actors used a ClickFix-style fake Microsoft Teams error message to socially engineer a...

  • NewsApr 4, 2026

    UNC1069 Social Engineering of Axios Maintainer Led to npm

    The North Korean threat actor UNC1069 used a sophisticated, targeted social engineering campaign against the Axios npm package maintainer Jason Saayman to...

  • NewsApr 3, 2026

    Claude Source Code Leak Highlights Big Supply Chain Missteps

    The accidental exposure of Anthropic's Claude Code source code via an npm packaging error is the latest reminder that software supply chains need...

  • NewsApr 1, 2026

    Axios NPM Package Breached in North Korean Supply Chain

    A long-lived NPM access token was used to bypass the GitHub Actions OIDC-based CI/CD publishing workflow and push backdoored versions of the widely used...

  • NewsApr 1, 2026

    Claude Code Source Leaked via npm Packaging Error

    Anthropic confirmed that internal source code for its Claude Code AI coding assistant was accidentally published to npm due to a human packaging error. No...

  • NewsApr 1, 2026

    Google Attributes Axios npm Supply Chain Attack to North

    Google's Threat Intelligence Group has formally attributed the supply chain compromise of the popular Axios npm package to UNC1069, a financially...

  • NewsMar 31, 2026

    Attack on Axios Developer Tool Threatens Widespread

    Security researchers at multiple firms are sounding alarms over a supply chain attack against Axios, an npm package with 100 million weekly downloads....

  • NewsMar 31, 2026

    Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

    Two newly published versions of the widely used Axios HTTP client library — v1.14.1 and v0.30.4 — were found to contain a malicious fake dependency that...

  • NewsMar 31, 2026

    Claude Code Source Code Accidentally Leaked in NPM Package

    Anthropic accidentally published the source code for Claude Code — its normally closed-source AI coding assistant — inside an npm package. The company...

  • NewsletterMar 31, 2026

    Mar 31 Digest: Axios npm RAT, Claude Code Source Leaked

    The Axios npm library was weaponized to deliver a cross-platform RAT; Anthropic accidentally leaked Claude Code's CLI source in an npm package; Google...

  • SecurityMar 23, 2026

    CVE-2026-4599: jsrsasign Private Key Recovery via DSA Nonce

    A critical flaw in jsrsasign versions 7.0.0 through 11.1.0 allows attackers to recover DSA private keys by exploiting biased nonce generation in the...

  • NewsMar 22, 2026

    CanisterWorm: First Blockchain-Powered Self-Spreading Worm

    A novel self-propagating malware dubbed CanisterWorm uses Internet Computer Protocol smart contracts as an untakedownable C2 channel, spreading...

  • NewsMar 11, 2026

    UNC6426 Weaponizes Old nx npm Compromise to Seize AWS Admin Access

    Threat actor UNC6426 leveraged stolen credentials from last year's nx npm supply chain attack to achieve full AWS administrator access at a victim...

  • NewsFeb 12, 2026

    Lazarus Group Plants 192 Malicious Packages in npm and PyPI

    North Korea's Lazarus Group is running a fake recruitment campaign codenamed Graphalgo, planting 192 malicious packages on npm and PyPI that target...

  • NewsJan 18, 2026

    Supply Chain Attack Discovered in Popular NPM Packages

    Security researchers have discovered malicious code injected into several popular NPM packages with millions of weekly downloads. Developers urged to...