All news

npm security

(10 articles)

June 1, 2026

Miasma Attack Hits Red Hat npm Packages

The Miasma supply chain attack compromised Red Hat npm packages with a credential-stealing worm. Here's what developers need to know and do right now.

June 1, 2026

OpenAI Codex Tokens Stolen in npm Supply Chain Attack

Malicious npm package codexui-android stole OpenAI Codex authentication tokens. Here's what developers need to know and how to protect your projects.

May 27, 2026

Malicious npm Package Stole Claude AI Files via GitHub

A malicious npm package silently exfiltrated files from Claude AI's user directory and uploaded them to GitHub. Here's how it worked and what to do.

May 20, 2026

Grafana GitHub Breach: TanStack npm Attack Exposed

Grafana's GitHub was breached via a malicious TanStack npm package. Learn how the supply chain attack worked and how to protect your repositories.

May 19, 2026

Malicious AntV npm Packages via Hijacked Account

Mini Shai-Hulud pushed malicious AntV npm packages through a compromised maintainer account. Here's what developers need to know to stay protected.

SAP npm Packages Hit in Credential-Stealing Attack

April 29, 2026

SAP npm Packages Hit in Credential-Stealing Attack

Malicious SAP-related npm packages were caught stealing credentials in a supply chain attack. Here's what developers need to check right now.

Bitwarden CLI npm Package Compromised to Steal Credentials

April 23, 2026

Bitwarden CLI npm Package Compromised to Steal Credentials

The Bitwarden CLI npm package was backdoored for 90 minutes on April 22, 2026. Learn what was stolen, how it spread, and what developers must do now.

npm Supply Chain Worm Steals Developer Tokens

April 22, 2026

npm Supply Chain Worm Steals Developer Tokens

A self-propagating worm is hijacking npm packages to steal developer tokens. Learn how it spreads and what you can do to protect your projects now.

N. Korean Hackers Drop 1,700 Malicious Packages

April 8, 2026

N. Korean Hackers Drop 1,700 Malicious Packages

North Korean hackers spread 1,700 malicious packages across npm, PyPI, Go, and Rust registries. Here's what developers need to check right now.

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

March 31, 2026

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

A compromised npm account pushed a cross-platform RAT through the Axios package. Here's what happened and how developers can protect their supply chain.