Cyber Kendra Sep 17
Shai-Hulud Attack Escalates: CrowdStrike NPM Packages Compromised
https://www.cyberkendra.com/2025/09/shai-hulud-attack-escalates-crowdstrike.html
#npmattack #cybersecurity #infosec #crowdstrike
Shai-Hulud Attack Escalates: CrowdStrike NPM Packages Compromised

A sophisticated supply chain attack dubbed "Shai-Hulud" has now compromised over 700 npm packages, including multiple official CrowdStrike packages, as attackers demonstrate unprecedented persistence in targeting the JavaScript ecosystem w…

Cyber Kendra
The DefendOps DiariesSep 10, 2025

A single phishing click shook NPM’s open-source world—compromised packages like chalk and debug hit millions of cloud setups in just two hours. How did the community turn the tide so fast?

https://thedefendopsdiaries.com/enhancing-open-source-security-lessons-from-the-npm-supply-chain-attack/

#npmattack
#supplychainsecurity
#opensource
#phishingawareness
#cybersecurity

🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉Sep 10, 2025
🚨 Major supply chain attack hits #NodeJS packages via npm, affecting billions of downloads weekly! Malicious code targets crypto wallets to hijack transactions 🚀 Encryption experts warn: watch out for obfuscated malware in popular libs like chalk & debug. Stay vigilant! 🔐🛡️ https://www.heise.de/en/news/Major-attack-on-node-js-10637093.html #Cybersecurity #CryptoTheft #npmAttack
#newz
Major attack on node.js

A cryptocurrency thief got into the npm account of a hard-working developer via spearphishing. node.js packages with billions of downloads are affected.

heise online
MetadropSep 10, 2025

Although npm has been compromised, your site is probably not affected. Read this article to help you keep calm and avoid panicking, while still keeping an eye on web security:

https://metadrop.net/en/articles/npm-compromised-you-are-probably-not-risk

#SupplyChainAttack #npmSecurity #npmAttack

gabriele renziSep 10, 2025

All the recent supply chain attacks in #npm based on phishing are sad.

I know I would probably fall for them even tho my company does continuous phishing training, and my bank sends me a reminder to not click email links regularly (good job Fineco!).

My 2c: It's probably time for *mail clients* to do something about phishing.

#npm #npmattack #security

katSep 9, 2025

cross-posting my little rant about #npm #npmattack #javascript #typescript stuff here:

Random NPM thoughts of the day:

  • The primary NPM registry should be obsoleted entirely ASAP
  • JSR does not do anywhere near as much as it should, and it's probably too late to fix.
  • A proper successor must only support "standard" JS, though temporarily accepting "strippable types" is ok rn
  • All packages MUST be ESM (JSR ok here)
  • MUST include docstrings on all publicly-reachable interfaces.
  • MUST NOT include any type of dependency other than a named registry dependency with a semver version (no git deps etc)
  • MUST have a non-trivial README.
  • MUST be tied to a PUBLIC repo.
  • MUST NOT have install scripts (yeah sorry, the fight's over)
  • MUST clearly include a license, even if the license is "source available, not open source". This restriction MUST NOT limit to OSI's ridiculous list.
  • MUST have a name that is scoped to its publishing user/org (@foo/bar)All of the above constraints MUST be checked at publish time.

    • Furthermore, the registry MUST provide the following, based on this:

  • Full browsable (published) package sources, right on the site. With linkable paths. None of this absolute trash NPM decided to do.
  • Autogenerated API docs.
  • Lower-traffic packages that have not had a new version in 6 months should be completely delisted. They can be installed, with a warning printed.
  • Usernames/org names and package names must employ a suitably-aggressive levenshtein distance for potential conflicts. This should be aggressive.
  • Packages cannot be transferred between accounts, and it's against policy to allow others access to your personal account. Orgs can work around this.
  • Top 1000 packages (maybe more) have all new publishes put on hold for 7 days, and placed into a public review queue, overridden by [tbd?staff?]
  • Y'all aren't gonna like this but: package installation should be reasonably throttled. Both to keep costs down, and to encourage people to do something less lazy than "I'm just going to install all 2k dependencies on CI every time I push a docs change". It's wasteful and harmful for many reasons.

    • I think that's all I got off the top of my head for now.

    There's honestly a lot of stuff that could be done on the client side to make life better, too, and y'all know I have a ton of thoughts on that, but I wanted to rant about registries for a bit, esp now that the NPM registry is crumbling.

    Cyber Kendra Sep 9, 2025

    🔥 The NPM supply chain attack just got bigger!
    DuckDB database packages have been compromised with crypto-stealing malware. A simple phishing email led to packages used by thousands of developers being infected.
    The malware is designed to steal cryptocurrency by hijacking wallet transactions - pretty sophisticated stuff!

    Read Details - https://www.cyberkendra.com/2025/09/duckdb-packages-compromised-in-latest.html

    #supplychain #npmPackage #npmattack #hack

    DuckDB Packages Compromised in Latest NPM Supply Chain Attack

    The NPM supply chain attack targeting major JavaScript packages has claimed another victim, with popular database library DuckDB confirming that four of its Node.js packages were compromised with cryptocurrency-stealing malware just hours after the …

    Cyber Kendra
    Florian SchmidtSep 9, 2025
    Q: Was there a #CVE issued for the packages involved in the current #NpmAttack already?
    Michael WeissSep 8, 2025

    “Please sir, I want some more.”
    Trillion-dollar empires petition unpaid maintainers.
    Now, with an npm compromise affecting 2 billion downloads this week, the bowl may be poisoned. ☠️

    🚨 New post by me at The Security Economist: http://www.securityeconomist.com/coding-like-the-dickens/
    #opensource #security #ghostinthemachine #thesecurityeconomist #npm #npmattack #opensourcesecurity

    Coding Like the Dickens

    Orphans, ghosts, and human fragility are silently running the world’s digital infrastructure. Trillions of dollars depend on them...and, as usual with The Security Economist, there’s a Twist.

    The Security Economist
    Stefan IhringerSep 8, 2025

    Oh, if you are using NPM for your Javascript maybe don't push to production and revert things a bit? What a mess...

    https://indieweb.social/@web3isgreat/115170403793689252

    #javascript #npmattack

    web3 is going just great (@[email protected])

    Attached: 2 images Massive NPM supply chain attack puts crypto transactions at risk September 8, 2025 https://www.web3isgoinggreat.com/?id=massive-npm-supply-chain-attack-puts-crypto-transactions-at-risk

    Indieweb.Social