npm
-
GitHub to disable npm install scripts by default in version 12
GitHub said npm version 12 will disable install scripts by default next month to curb supply chain abuse. The change will also restrict Git and remote dependencies unless users explicitly allow them.
-
New npm supply chain worms hit 50-plus packages, steal secrets
Two npm supply chain attacks spread a Rust information stealer and a worm across dozens of packages, targeting developer secrets, cloud credentials and AI tool configurations. Researchers said the malware used GitHub and npm features to keep propagating.
-
Malicious npm package targets OpenAI Codex users and steals authentication tokens
Researchers say a malicious npm package and related Android apps targeted OpenAI Codex users, stealing local authentication tokens and sending them to an attacker-controlled server, with the package drawing more than 29,000 weekly downloads.
-
Malicious npm package used GitHub uploads to steal files from AI workspace
A malicious npm package was found stealing files from Claude’s workspace directory by using GitHub uploads during installation. Researchers said the package hid the theft behind fake sync and network logs.
-
TrapDoor supply chain attack spreads across npm, PyPI and Crates.io
A coordinated supply chain campaign has spread malicious packages across npm, PyPI and Crates.io, targeting developers with code that steals credentials, wallets, SSH keys and cloud secrets.
-
Leaked Shai-Hulud malware resurfaces in npm infostealer campaign
Four malicious npm packages infected with a Shai-Hulud clone were published over the weekend, stealing credentials, secrets and crypto wallet data. One package also added DDoS features, and the combined downloads reached 2,678.
-
OpenAI says two employees were affected in TanStack supply chain attack
OpenAI said two employees were affected in the TanStack supply chain attack, and it rotated code-signing certificates as a precaution. The company said customer data and production systems were not impacted.
-
SAP-related npm packages hit by credential-stealing supply chain attack
SAP-related npm packages were compromised in an April 29 supply chain attack that inserted credential-stealing malware into four releases, affecting developer, GitHub, npm, cloud, and Kubernetes secrets, according to a technical analysis from Aikido Security.
-
North Korean hackers use AI to hide npm malware in Web3 supply chain
North Korean-linked hackers are using AI-generated code and layered npm packages to spread malware that steals cryptocurrency wallets and developer data, according to a technical analysis from ReversingLabs. The campaign has also expanded beyond npm to other platforms.
-
Malicious npm packages spread self-propagating worm through stolen developer tokens
Researchers found a self-propagating npm supply chain worm in April 2026 that stole developer secrets, reused npm tokens to publish poisoned packages and also included PyPI propagation logic.
