Threat actors are publishing clean extensions that later update to depend on hidden payload packages, bypassing marketplace checks and silently installing malware onto developers’ systems.
A dramatic spike in npm-focused intrusions shows how attackers have shifted from opportunistic typosquatting to systematic, credential-driven supply chain compromises — exploiting CI systems, maintainers, and deep weaknesses in modern DevOps pi
The bug allows attacker-controlled model servers to inject code, steal session tokens, and, in some cases, escalate to remote code execution on enterprise AI backends.
The explosive, easy-to-trigger vulnerability was exploited within hours of disclosure, exposing the risks of default framework trust.
Malicious npm package posing as a WhatsApp Web API library operated for months as a functional dependency while stealing messages and maintaining persistence.
Malicious content in issues or pull requests can trick AI agents in CI/CD workflows into running privileged commands in an attack researchers nicknamed PromptPwnd.
The originators of the Contagious Interview cyberattack campaign are stitching GitHub, Vercel, and NPM together into a development and delivery pipeline to drop malware.
The long-running Contagious Interview campaign is now hiding BeaverTail and InvisibleFerret payloads inside JSON storage services.