Strapi plugins exploit Redis and PostgreSQL via postinstall scripts, enabling persistent access and data theft.

Over 1,700 malicious packages since Jan 2025 fuel cross-ecosystem supply chain attacks, enabling espionage and financial ...

Attackers stole a long-lived npm token from the lead axios maintainer and published two poisoned versions that drop a cross-platform RAT. Axios sits in 80% of cloud environments. Huntress confirmed ...

A new wave of North Korea's 'Contagious Interview' campaign is targeting job seekers with malicious npm packages that infect dev's devices with infostealers and backdoors. The packages were discovered ...

Add Yahoo as a preferred source to see more of our stories on Google. North Korean state-sponsored threat actors were observed pushing malicious packages into the npm registry, in an attempt to ...

Updated: Hijacked maintainer account let attackers slip cross-platform trojan into 100M-downloads-a-week Axios ...

Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors. More than ...

Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers.

North Korean state-sponsored threat actors were observed pushing malicious packages into the npm registry, in an attempt to infiltrate endpoints belonging to software developers. This time around, ...