Malicious Sicoob.Sdk stole PFX certificates and client IDs via NuGet downloads, enabling API impersonation and payment abuse risks.

TrapDoor spread 34 malicious packages across npm, PyPI, and Crates.io, stealing developer credentials and enabling persistence.

An attacker poisoned 84 TanStack npm versions across 42 packages, stealing GitHub OIDC tokens and cloud keys while planting a dead-man's switch that nukes your system.

GitHub’s internal repositories — now staged publishing in npm 11.15.0 requires a human 2FA approval before any package goes ...

A fresh Mini Shai-Hulud supply chain attack has hit over 320 NPM packages, along with GitHub Actions and a VS Code extension.

Stolen credentials produced valid Sigstore certificates, clearing 633 malicious npm packages — one of seven developer tool ...

On May 19, the Mini Shai-Hulud worm compromised one npm maintainer account and pushed 639 malicious versions across 323 ...

GitHub's npm package registry has rolled out a publishing approval step to prevent the distribution of compromised packages ...

Over the holidays, the npm package registry was flooded with more than 3,000 packages, including one called "everything," and others named a variation of the word. The package is quite aptly named as ...

Three JavaScript packages have been removed from the npm portal on Thursday for containing malicious code. According to advisories from the npm security team, the three JavaScript libraries opened ...