Hacker News13h ago

Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised

https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/

#HackerNews #MiniShaiHulud #npmSecurity #CyberThreats #PackageCompromise #SoftwareVulnerability

Mini Shai-Hulud Strikes Again: 317 npm Packages Compromised

A compromised npm maintainer account published 637 malicious versions across 317 packages including size-sensor, echarts-for-react, timeago.js, and hundreds of @antv scoped packages, affecting 15M+ monthly downloads.

SafeDep - Real-time Open Source Software Supply Chain Security
N-gated Hacker NewsApr 23
๐Ÿ”ฅ๐Ÿš€ Oh, rejoice! Another day, another hackโ€”this time, Bitwarden's CLI couldn't dodge a bullet in the #Checkmarx supply chain campaign. Thank goodness for Socket Research Team, because without them, we'd never know which npm package will ruin our day next! ๐Ÿ™„๐Ÿ”’๐Ÿ’ฅ
https://socket.dev/blog/bitwarden-cli-compromised #Bitwarden #SupplyChain #SocketResearch #npmSecurity #HackNews #HackerNews #ngated
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Bitwarden CLI 2026.4.0 was compromised in the Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwardenโ€™s CI/CD pipeline.

Socket
NewsletterTFApr 2

Axios npm Account Hijacked, Malware Injected

Axios npm account hijacked, malware injected into popular JavaScript library. Developers using versions 1.14.1 or 0.30.4 are at risk. Learn how to protect your code.

#AxiosAttack, #npmSecurity, #JavaScriptMalware, #CyberSecurity, #SoftwareSupplyChain

https://newsletter.tf/axios-npm-malware-attack-developers-risk/

NewsletterTFApr 2

Malicious code was put into the popular Axios JavaScript library for 3 hours. This is a new risk for developers using npm.

#AxiosAttack, #npmSecurity, #JavaScriptMalware, #CyberSecurity, #SoftwareSupplyChain
https://newsletter.tf/axios-npm-malware-attack-developers-risk/

Axios npm Malware Attack 2023: Developers Face New Risks

Axios npm account hijacked, malware injected into popular JavaScript library. Developers using versions 1.14.1 or 0.30.4 are at risk. Learn how to protect your code.

NewsletterTF
sayzardMar 31

[Claude Code ์†Œ์Šค ์ฝ”๋“œ๊ฐ€ npm ๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ๋งต ํŒŒ์ผ์„ ํ†ตํ•ด ์œ ์ถœ

Anthropic์˜ Claude Code CLI ์†Œ์Šค ์ฝ”๋“œ๊ฐ€ npm ๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ๋‚ด .map ํŒŒ์ผ์„ ํ†ตํ•ด ์œ ์ถœ๋œ ์‚ฌ๋ก€๊ฐ€ ๋ณด๊ณ ๋˜์—ˆ๋‹ค. .map ํŒŒ์ผ์€ ์†Œ์Šค ์ฝ”๋“œ์˜ ๋””๋ฒ„๊น… ์ •๋ณด๋ฅผ ํฌํ•จํ•˜์—ฌ ์›๋ณธ ์†Œ์Šค ์ฝ”๋“œ๋ฅผ ๋ณต์› ๊ฐ€๋Šฅํ•œ ํ˜•ํƒœ๋กœ ์ œ๊ณตํ•  ์ˆ˜ ์žˆ์–ด, ๋ณด์•ˆ์ƒ ์‹ฌ๊ฐํ•œ ๋ฌธ์ œ๋กœ ํ‰๊ฐ€๋œ๋‹ค. ์ด ์‚ฌ๊ฑด์€ ์˜คํ”ˆ์†Œ์Šค ํ”„๋กœ์ ํŠธ๋‚˜ ํด๋ผ์šฐ๋“œ ๊ธฐ๋ฐ˜ AI ๋„๊ตฌ ๊ฐœ๋ฐœ ์‹œ ๋ณด์•ˆ ์ทจ์•ฝ์  ๊ด€๋ฆฌ์™€ ์†Œ์Šค ์ฝ”๋“œ ์œ ์ถœ ๋ฐฉ์ง€ ์ „๋žต์˜ ์ค‘์š”์„ฑ์„ ๊ฐ•์กฐํ•œ๋‹ค.

https://news.hada.io/topic?id=28059

#anthropic #claudecode #sourcecodeleak #npmsecurity #aisecurity

Claude Code ์†Œ์Šค ์ฝ”๋“œ๊ฐ€ npm ๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ๋งต ํŒŒ์ผ์„ ํ†ตํ•ด ์œ ์ถœ | GeekNews

Anthropic์˜ Claude Code CLI ์†Œ์Šค ์ฝ”๋“œ๊ฐ€ npm ๋ ˆ์ง€์ŠคํŠธ๋ฆฌ์˜ .map  ํŒŒ์ผ์„ ํ†ตํ•ด ํ†ต์งธ๋กœ ๋ณต์› ๊ฐ€๋Šฅํ•œ ํ˜•ํƒœ๋กœ ์œ ์ถœ๋œ ์‚ฌ๋ก€๊ฐ€ ๋ณด๊ณ ๋์Šต๋‹ˆ๋‹ค.

GeekNews
Manuel BisseyDec 23

A malicious npm package is stealing WhatsApp messages โ€” a sharp reminder that the software supply chain can betray even trusted platforms. Verify dependencies, always. ๐Ÿ“ฆ๐Ÿ”“ #SupplyChainRisk #NPMSecurity

https://www.theregister.com/2025/12/22/whatsapp_npm_package_message_steal/

Poisoned WhatsApp API package steals messages and accounts

: And it's especially dangerous because the code works

The Register
N-gated Hacker NewsDec 22
Wow, who knew that downloading a seemingly innocent NPM package could lead to your WhatsApp messages being harvested like crops in FarmVille? ๐ŸŒพ๐Ÿ“ฑ Clearly, 56,000 people learned the hard way that trusting random code on the internet is like expecting your cat to respect your personal space. ๐Ÿฑ๐Ÿ’ป
https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages #NPMsecurity #WhatsAppprivacy #codingrisks #trustissues #cybersecurity #HackerNews #ngated
NPM Package With 56K Downloads Caught Stealing WhatsApp Messages

Manuel BisseyDec 3

A malicious npm package factory is churning out contagious code โ€” proving the software supply chain can be poisoned at the source. Developers must verify every dependency. ๐Ÿงฉโš ๏ธ #NPMSecurity #SupplyChainRisk

https://www.darkreading.com/application-security/contagious-interview-malicious-npm-package-factory

Soatok DreamseekerNov 19

Moving Beyond the NPM elliptic Package

If you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published a post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof.

http://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/

#npm #crypto #cryptography #elliptic #security #infosec #cve #mitigation #appsec #javascript #js #npm #npmsecurity #npmpackages

Moving Beyond the NPM elliptic Package - Dhole Moments

If youโ€™re in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in nodeโ€ฆ

Dhole Moments
Manuel BisseyNov 13, 2025

Over 46,000 fake npm packages flood the ecosystem โ€” attackers are poisoning the software supply chain at scale. Developers must verify before they install. ๐Ÿ“ฆโš ๏ธ #SoftwareSupplyChain #NPMSecurity

https://thehackernews.com/2025/11/over-46000-fake-npm-packages-flood.html

Over 46,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack

A mysterious npm worm published 46K fake packages in a two-year spam campaign, exposing major security gaps.

The Hacker News