A malicious npm package is stealing WhatsApp messages — a sharp reminder that the software supply chain can betray even trusted platforms. Verify dependencies, always. 📦🔓 #SupplyChainRisk #NPMSecurity

https://www.theregister.com/2025/12/22/whatsapp_npm_package_message_steal/

A malicious npm package factory is churning out contagious code — proving the software supply chain can be poisoned at the source. Developers must verify every dependency. 🧩⚠️ #NPMSecurity #SupplyChainRisk

https://www.darkreading.com/application-security/contagious-interview-malicious-npm-package-factory

Moving Beyond the NPM elliptic Package

If you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published a post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof.

http://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/

#npm #crypto #cryptography #elliptic #security #infosec #cve #mitigation #appsec #javascript #js #npm #npmsecurity #npmpackages

Over 46,000 fake npm packages flood the ecosystem — attackers are poisoning the software supply chain at scale. Developers must verify before they install. 📦⚠️ #SoftwareSupplyChain #NPMSecurity

https://thehackernews.com/2025/11/over-46000-fake-npm-packages-flood.html

🚨 10 npm packages found deploying a multi-stage credential harvester.

Fake CAPTCHAs, IP fingerprinting, and PyInstaller malware targeting Windows, macOS, Linux - all under typosquatted names like typescriptjs and etherdjs.

💬 How are you strengthening your open-source dependency vetting?
Follow @technadu for daily infosec intel and malware investigations.

#CyberSecurity #SupplyChainAttack #NPMSecurity #DevSecOps #ThreatIntelligence #CredentialTheftattacks

A simple typo could be the door hackers use to break in. Malicious npm packages with nearly identical names are now tricking developers to steal credentials and data. Curious how a spelling error can lead to major breaches?

https://thedefendopsdiaries.com/the-anatomy-of-a-malicious-npm-package-how-typosquatting-tricks-developers/

#npmsecurity
#typosquatting
#supplychainattack
#malware
#infostealer

GitHub tightens npm security with mandatory 2FA, access tokens
https://www.bleepingcomputer.com/news/security/github-tightens-npm-security-with-mandatory-2fa-access-tokens/

#Infosec #Security #Cybersecurity #CeptBiro #GitHub #NpmSecurity #Mandatory2FA #AccessTokens

Could a simple QR code hide a hidden threat? The fezbox npm incident revealed malware camouflaged inside a QR code, challenging everything we thought we knew about cybersecurity. Read on to see how attackers are outsmarting traditional defenses.

https://thedefendopsdiaries.com/steganographic-use-of-qr-codes-in-cybersecurity-the-fezbox-npm-package-incident/

#qrsecurity
#steganography
#npmsecurity
#malwaredetection
#cyberattacktrends

A QR code turned Trojan horse? A crafty npm package used hidden QR codes to smuggle cookie-stealing malware, evading detection in plain sight. How safe is our open-source world?

https://thedefendopsdiaries.com/steganographic-use-of-qr-codes-in-cybersecurity-the-fezbox-npm-package-incident/

#qrsecurity
#steganography
#npmsecurity
#malwaredetection
#cyberattacktrends