Bleeping Computer

npm packages caught serving TurkoRAT binaries that mimic NodeJS

Researchers have discovered multiple npm packages named after NodeJS libraries that even pack a Windows executable that resembles NodeJS but instead drops a sinister trojan. These packages, given ...
Morning Overview on MSN

Malicious open-source packages surge 73% in 2026 as threat actors weaponize the software supply chain

In the first five months of 2026, security researchers have flagged more malicious packages on the npm registry than in all ...
CSOonline

Malicious code in the Node.js npm registry shakes open source trust model

Bad actors using typo-squatting place 39 malicious packages in npm that went undetected for two weeks. How should the open source community respond? Software development relies heavily on trust, ...
Bleeping Computer

NPM supply-chain attack impacts hundreds of websites and apps

An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. As ...
techtimes

Warning: Malicious JavaScript Library Posing as Twilio-Related Libraries Opens Vulnerabilities to Programmers' Computer

The npm security team has just recently removed a malicious JavaScript library from the npm website that contains malicious code that can be used for opening backdoors on certain programmers' ...
ZDNet

Hacker backdoors popular JavaScript library to steal Bitcoin funds

A hacker has gained (legitimate) access to a popular JavaScript library and has injected malicious code that steals Bitcoin and Bitcoin Cash funds stored inside BitPay's Copay wallet apps. The ...