We need a good NPM alternative. Trusted publishing isn't a good solution as it makes switching to FOSS alternatives harder.

#dev #webdev #javascript #npm #foss

314 npm packages just got compromised, 271 @antv, echarts-for-react, size-sensor, timeago.js (safedep.io)

https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/

#npm #supplychain #attack #security

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Pulse ID: 6a0b921d3574a6ef2eca8d47
Pulse Link: https://otx.alienvault.com/pulse/6a0b921d3574a6ef2eca8d47
Pulse Author: AlienVault
Created: 2026-05-18 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DDoS #DoS #GitHub #InfoSec #InfoStealer #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #Worm #bot #botnet #cryptocurrency #iOS #AlienVault

Active Supply Chain Attack Compromises Packages on npm

An active npm supply chain attack has compromised packages in the @antv ecosystem, affecting the maintainer account 'atool'. The attack is part of the Mini Shai-Hulud campaign, involving 639 compromised package versions across 323 unique packages. Notable affected packages include echarts-for-react with 1.1 million weekly downloads, and widely-used @antv packages for data visualization. The malware uses obfuscated install-time payloads that harvest developer credentials, GitHub tokens, npm tokens, AWS credentials, and other secrets from development and CI/CD environments. Stolen data is encrypted with AES-256-GCM and exfiltrated to a command-and-control server, with GitHub repositories used as fallback channels. The malware contains worm-like functionality to republish compromised packages and propagate through the npm ecosystem.

Pulse ID: 6a0c1b289f4fe8b7bdf00a84
Pulse Link: https://otx.alienvault.com/pulse/6a0c1b289f4fe8b7bdf00a84
Pulse Author: AlienVault
Created: 2026-05-19 08:11:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #GitHub #InfoSec #Malware #NPM #OTX #OpenThreatExchange #RAT #SupplyChain #Worm #bot #AlienVault

Minko Gechev (@mgechev)

skillgrade v0.1.5가 공개되었습니다. OpenCode 지원이 추가됐고, grader provider를 설정 가능하게 했으며, 전반적인 오류 처리와 안정성이 개선되었습니다. 로컬 provider 관련 버그도 수정되어 AI 모델/에이전트 평가 도구로서의 사용성이 좋아졌습니다.

https://x.com/mgechev/status/2056527291493351792

#opensource #aiops #evaluation #npm

Malware Campaign Compromises Hundreds of npm Packages

A new, highly aggressive malware campaign, linked to the notorious TeamPCP group, has infected hundreds of npm packages, putting countless environments at risk of exposure. If you're concerned about potential damage, take immediate action to rotate secrets, remove persistence artifacts, and review recent publish activity.

https://osintsights.com/malware-campaign-compromises-hundreds-of-npm-packages?utm_source=mastodon&utm_medium=social

#MalwareOperations #Npm #Teampcp #MiniShaihulud #SupplyChain

Leaked #ShaiHulud #malware fuels new #npm #infostealer campaign

https://www.bleepingcomputer.com/news/security/leaked-shai-hulud-malware-fuels-new-npm-infostealer-campaign/

#cybersecurity