Mastra npm packages added easy-day-js malware, exposing developer systems and CI runners to infostealer risks.
2026年5月25日,国家网络安全通报中心发布:监测发现,全球主流Java软件包管理平台npm遭“沙虫” (Shai-Hulud)供应链投毒攻击。攻击者攻陷了npm官方维护者账户,并在短时间内批量投放大量恶意软件包,涉及300余个独立程序包的600余个恶意版本,影响多个热门开源项目。当开发者安装恶意依赖包后,程序会自动在本地主机、CI/CD流水线环境执行恶意代码,窃取GitHub ...
Microsoft says latest attack targets Leo Platform and RStreams packages, harvesting creds and going after more maintainers ...
Red Hat hit by npm supply‑chain attack - here's how to stay safe ...
Three JavaScript packages have been removed from the npm portal on Thursday for containing malicious code. According to advisories from the npm security team, the three JavaScript libraries opened ...
JFrog found malicious npm packages that deploy a Windows RAT to steal Chrome credentials, run commands, and transfer files.
Threat actors are finding new ways to insert invisible code or links into open source code to evade detection of software supply chain attacks. The latest example was found by researchers at ...
Researchers continue to investigate a wave of malicious npm packages, with the published tally now reaching over 700. Last week, JFrog researchers disclosed the scheme in which an unknown threat actor ...
A significant percentage of the 50,000 most-downloaded npm packages are deprecated or have a deprecated dependency but provide no warning. Security researchers warn that many npm packages are being ...
In a surprising move, the popular open source project, SheetJS aka "xlsx," has dropped support for the npm registry. Downloaded about 1.4 million times weekly on npm, SheetJS is relied upon by NodeJS ...
一些您可能无法访问的结果已被隐去。
显示无法访问的结果