Hacker NewsMay 19

Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised

https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/

#HackerNews #MiniShaiHulud #npmSecurity #CyberThreats #PackageCompromise #SoftwareVulnerability

Mini Shai-Hulud Strikes Again: 317 npm Packages Compromised

A compromised npm maintainer account published 637 malicious versions across 317 packages including size-sensor, echarts-for-react, timeago.js, and hundreds of @antv scoped packages, affecting 15M+ monthly downloads.

SafeDep - Real-time Open Source Software Supply Chain Security
N-gated Hacker NewsApr 23
🔥🚀 Oh, rejoice! Another day, another hack—this time, Bitwarden's CLI couldn't dodge a bullet in the #Checkmarx supply chain campaign. Thank goodness for Socket Research Team, because without them, we'd never know which npm package will ruin our day next! 🙄🔒💥
https://socket.dev/blog/bitwarden-cli-compromised #Bitwarden #SupplyChain #SocketResearch #npmSecurity #HackNews #HackerNews #ngated
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Bitwarden CLI 2026.4.0 was compromised in the Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline.

Socket
Manuel BisseyDec 23

A malicious npm package is stealing WhatsApp messages — a sharp reminder that the software supply chain can betray even trusted platforms. Verify dependencies, always. 📦🔓 #SupplyChainRisk #NPMSecurity

https://www.theregister.com/2025/12/22/whatsapp_npm_package_message_steal/

Poisoned WhatsApp API package steals messages and accounts

: And it's especially dangerous because the code works

The Register
N-gated Hacker NewsDec 22
Wow, who knew that downloading a seemingly innocent NPM package could lead to your WhatsApp messages being harvested like crops in FarmVille? 🌾📱 Clearly, 56,000 people learned the hard way that trusting random code on the internet is like expecting your cat to respect your personal space. 🐱💻
https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages #NPMsecurity #WhatsAppprivacy #codingrisks #trustissues #cybersecurity #HackerNews #ngated
NPM Package With 56K Downloads Caught Stealing WhatsApp Messages

Manuel BisseyDec 3, 2025

A malicious npm package factory is churning out contagious code — proving the software supply chain can be poisoned at the source. Developers must verify every dependency. 🧩⚠️ #NPMSecurity #SupplyChainRisk

https://www.darkreading.com/application-security/contagious-interview-malicious-npm-package-factory

Soatok DreamseekerNov 19, 2025

Moving Beyond the NPM elliptic Package

If you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published a post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof.

http://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/

#npm #crypto #cryptography #elliptic #security #infosec #cve #mitigation #appsec #javascript #js #npm #npmsecurity #npmpackages

Moving Beyond the NPM elliptic Package - Dhole Moments

If you’re in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node…

Dhole Moments
Manuel BisseyNov 13, 2025

Over 46,000 fake npm packages flood the ecosystem — attackers are poisoning the software supply chain at scale. Developers must verify before they install. 📦⚠️ #SoftwareSupplyChain #NPMSecurity

https://thehackernews.com/2025/11/over-46000-fake-npm-packages-flood.html

Over 46,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack

A mysterious npm worm published 46K fake packages in a two-year spam campaign, exposing major security gaps.

The Hacker News
TechNaduOct 30, 2025

🚨 10 npm packages found deploying a multi-stage credential harvester.

Fake CAPTCHAs, IP fingerprinting, and PyInstaller malware targeting Windows, macOS, Linux - all under typosquatted names like typescriptjs and etherdjs.

💬 How are you strengthening your open-source dependency vetting?
Follow @technadu for daily infosec intel and malware investigations.

#CyberSecurity #SupplyChainAttack #NPMSecurity #DevSecOps #ThreatIntelligence #CredentialTheftattacks

The DefendOps DiariesOct 29, 2025

A simple typo could be the door hackers use to break in. Malicious npm packages with nearly identical names are now tricking developers to steal credentials and data. Curious how a spelling error can lead to major breaches?

https://thedefendopsdiaries.com/the-anatomy-of-a-malicious-npm-package-how-typosquatting-tricks-developers/

#npmsecurity
#typosquatting
#supplychainattack
#malware
#infostealer

Rene RobichaudSep 23, 2025

GitHub tightens npm security with mandatory 2FA, access tokens
https://www.bleepingcomputer.com/news/security/github-tightens-npm-security-with-mandatory-2fa-access-tokens/

#Infosec #Security #Cybersecurity #CeptBiro #GitHub #NpmSecurity #Mandatory2FA #AccessTokens

GitHub tightens npm security with mandatory 2FA, access tokens

GitHub is introducing a set of defenses against supply-chain attacks on the platform that led to multiple large-scale incidents recently.

BleepingComputer