Compromised dYdX npm and PyPI packages delivered wallet-stealing malware and a RAT via poisoned updates in a software supply chain attack.

Here's how the JavaScript Registry evolves makes building, sharing, and using JavaScript packages simpler and more secure ...

Active attacks exploit Metro4Shell (CVE-2025-11953) in React Native CLI to execute commands and deploy Rust malware.

According to the firm’s latest supply chain security report, there was a 73% increase in detections of malicious open-source packages in 2025. The past year also saw a huge jump in the scope of ...

A researcher at Koi Security says the two key platforms have not plugged the vulnerabilities enabling the worm attacks, and ...

Microsoft’s new winapp CLI simplifies Windows app development with one-command setup, faster testing, and easier packaging.

Cybersecurity researchers have uncovered three malicious Bitcoin npm packages designed to install malware called NodeCordRAT. NodeCordRAT is equipped to steal Google Chrome credentials, API tokens ...

What Happened in the Shai Hulud JavaScript Attack? A major JavaScript supply-chain attack has compromised more than 400 NPM packages — including at least 10 widely used across the crypto ecosystem — ...

A major NPM supply-chain attack has compromised ENS-linked libraries and 490 packages with 132 million monthly downloads, deploying malware that steals developer credentials across crypto platforms. A ...

Security researchers have uncovered another large-scale, coordinated attack on the npm ecosystem, using worm-like techniques to spread spam packages. Dubbed “IndonesianFoods” due to the unique naming ...

As poisoned software continues to pop up across the industry, some threat actors have found a way to hide malicious code in npm packages and avoid detection from most security tools. In an blog post ...