GIGAZINE

Fake Bun runtime infects over 1,000 NPM packages and 27,000 Github repositories with malware in just a few hours

On November 24, 2025, local time, HelixGuard, an open-source security research lab that conducts research on supply chain malware and vulnerabilities, discovered that over 1,000 components in the NPM ...
Threat Post

Discord-Stealing Malware Invades npm Packages

The CursedGrabber malware has infiltrated the open-source software code repository. Three malicious software packages have been published to npm, a code repository for JavaScript developers to share ...
Infosecurity-magazine.com

FortiGuard Uncovers Deceptive Install Scripts in npm Packages

A series of malicious packages hidden within the Node Package Manager (npm), the largest software registry for JavaScript, has been uncovered. According to a new advisory published by FortiGuard on ...
heise online

New supply chain attack with malicious scripts in npm packages

The security firm Socket warns of a campaign with malicious scripts in npm packages. The analysts have discovered 60 of these packages that contain an infostealer, which in turn spies on a machine ...
Ars Technica

NPM flooded with malicious packages downloaded more than 86,000 times

Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection. The finding, ...
CSOonline

Malicious npm packages found to create a backdoor in legitimate code

Researchers found malicious packages on the npm registry that, when installed, inject malicious code into legitimate npm packages already residing on developers’ machines. Attackers who target ...
CSOonline

Hackers booby trap NPM with cross-language imposter packages

Developers adept at multiple coding languages are tricked into installing a familiar-sounding package from within the Node Package Manager registry instead of the original source. Hackers are abusing ...