#npm

Cargo loader moving freight onto an aircraft, a stand-in for the software supply chain

Red Hat's npm namespace and Arch's AUR were both backdoored within two weeks of each other

A worm hijacked Red Hat's npm namespace, a rootkit spread through 1,500 Arch AUR packages, and a SOC 2-certified AI gateway shipped malware. Registries are under fire.

Security·last month

TanStack published its npm supply-chain postmortem. The attack chained three GitHub Actions flaws.

Attackers compromised 42 TanStack packages through a pull_request_target exploit, cache poisoning, and OIDC token theft. An external researcher caught it in 20 minutes.

Socket security research card promoting the CanisterWorm Namastex compromise analysis.

Security·2 months ago

Another npm worm: CanisterWorm hits 16 Namastex packages and reaches PyPI on the same hop

Socket flagged a self-propagating worm in @automagik/genie, pgserve, and 14 sibling Namastex Labs packages. It steals 40 credential categories and republishes itself.

Aikido Security illustration of the GPT-Proxy backdoor.

Security·2 months ago

Malicious npm and PyPI packages turn dev servers into Chinese LLM proxies

Aikido found a stage-2 Go binary inside two health-check-themed packages that runs an OpenAI-compatible router routing Claude, GPT, and Gemini traffic through Chinese aggregators.

Bitwarden CLI compromised by the Shai-Hulud npm worm

Security·2 months ago

Bitwarden CLI got backdoored for 90 minutes. The worm calls itself 'Shai-Hulud: The Third Coming.'

A malicious @bitwarden/[email protected] hit npm on April 22. The payload steals npm tokens, cloud secrets, and Claude Code credentials, then self-replicates.

GitHub social card for the protobufjs/protobuf.js repository.

Security·2 months ago

protobuf.js RCE: a 52M/week npm package was one bad type name from code execution

GHSA-xq3m-2v4x-88gg hits protobuf.js ≤8.0.0 / ≤7.5.4. Attacker-controlled schemas executed arbitrary JS on decode. One-line fix patched it.