Hosted on MSN

NPM attack drains only $500 worth of meme coins

The recently discovered supply chain attack only affected a few wallets, drawing out around $500 in various tokens. However, the injection of malicious code into npm JavaScript packages exposed a ...
Bleeping Computer

npm dependency is breaking some React apps today — here's the fix

Tons of users are reporting their Facebook Create React App builds are failing since yesterday. The cause has been traced down to a dependency used by create-react-app, the latest version of which is ...
Hackaday

PhantomRaven Attack Exploits NPM’s Unchecked HTTP URL Dependency Feature

Having another security threat emanating from Node.js’ Node Package Manager (NPM) feels like a weekly event at this point, but this newly discovered one is among the more refined. It exploits not only ...
Bleeping Computer

Copycats imitate novel supply chain attack that hit tech giants

This week, over 275 new packages have been published to the npm open-source repository named after private components being internally used by major companies. These npm packages are identical to the ...
Infosecurity-magazine.com

Npm Malware Uses Invisible Dependencies to Infect Dozens of Packages

An ongoing npm credential harvesting campaign operating since August 2025 has been discovered by researchers at Koi Security. The malware, dubbed PhantomRaven by the researchers, is actively stealing ...
Ars Technica

NPM flooded with malicious packages downloaded more than 86,000 times

Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection. The finding, ...