Mastra AI’s 144 JavaScript packages was executed in just 88 minutes by North Korea’s Sapphire Sleet hacking group, which ...

Microsoft says latest attack targets Leo Platform and RStreams packages, harvesting creds and going after more maintainers ...

Mastra npm packages added easy-day-js malware, exposing developer systems and CI runners to infostealer risks.

What is Mini Shai-Hulud npm supply chain attack, and was Microsoft and Socket hit by malware? A new software supply chain attack has affected the npm ecosystem and raised concern across developer and ...

The popular NPM package 'is' has been compromised in a supply chain attack that injected backdoor malware, giving attackers full access to compromised devices. This occurred after maintainer accounts ...

Red Hat hit by npm supply‑chain attack - here's how to stay safe ...

JFrog found malicious npm packages that deploy a Windows RAT to steal Chrome credentials, run commands, and transfer files.

July 2026, blocking install scripts, Git dependencies, and remote URL sources by default. Every team running npm install in ...

That it's an abbreviation is not really relevant here. It sort of stands for "node package manager" but that really doesn't tell you anything. It consists of a command line client, also called npm, ...

Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. This way, even if the ...