Warning: Undefined variable $comments_html in /home/u319666691/domains/cybersecurityboard.com/public_html/_template.php on line 527

Hackers hijack NPM packages with 2 billion weekly downloads in supply chain attack

In a significant supply chain attack, hackers have compromised popular NPM packages that collectively boast over 2 billion weekly downloads. This incident highlights the growing threat of supply chain vulnerabilities in the software development ecosystem, particularly within the JavaScript community. Attackers exploited the trust developers place in widely used packages to distribute malicious code, potentially impacting countless applications and users worldwide. The compromised NPM packages were altered to include malicious payloads, which could lead to data breaches, unauthorized access, or further propagation of malware. This attack underscores the critical need for enhanced security measures in package management systems and vigilant monitoring by developers and organizations relying on third-party libraries. Security experts recommend immediate audits of dependencies, implementation of strict code review processes, and adoption of automated tools to detect anomalies in package behavior. The incident serves as a stark reminder of the risks inherent in modern software supply chains and the importance of proactive cybersecurity strategies to mitigate such threats.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 08 Sep 2025 16:50:15 +0000

Cyber News related to Hackers hijack NPM packages with 2 billion weekly downloads in supply chain attack

Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
1 year ago Feeds.dzone.com

New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs - A new open framework seeks to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack ...
2 years ago Csoonline.com

'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com

Hackers hijack NPM packages with 2 billion weekly downloads in supply chain attack - In a significant supply chain attack, hackers have compromised popular NPM packages that collectively boast over 2 billion weekly downloads. This incident highlights the growing threat of supply chain vulnerabilities in the software development ...
16 hours ago Bleepingcomputer.com

Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
5 months ago Cybersecuritynews.com Lazarus Group

Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com

npm 'accidentally' removes Stylus package, breaks builds and pipelines - Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code. BleepingComputer ...
1 month ago Bleepingcomputer.com

CISA Announces Renewal of the Information and Communications Technology Supply Chain Risk Management Task Force - The Task Force, chaired by CISA's National Risk Management Center and the Information Technology and Communications Sector Coordinating Councils, is a public-private partnership composed of a diverse range of representatives from public and private ...
1 year ago Cisa.gov

New Supply Chain Attack Leveraging Python Package Index Targeting Wacatac Trojan - A new supply chain attack has recently been detected targeting Python Package Index (PyPI) users with the Wacatac Trojan. This attack is seen as the latest in a series of advanced persistent threats (APT) targeting the escalating use of Python in ...
2 years ago Securityweek.com

Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com

Threat Actors Weaponizing Open Source Packages to Deliver Malware in Supply Chain Attack - In one campaign linked to North Korean threat actors, Socket.dev researchers discovered a package delivering a loader called “BeaverTail” that stole browser data and cryptocurrency wallet credentials before fetching a more advanced ...
3 months ago Cybersecuritynews.com

Threat Actors Weaponized 28+ New npm Packages to Infect Users With Protestware Scripts - The persistence mechanism stores an initiation timestamp in localStorage using the key ‘swal-initiation’, calculating elapsed time since first visit to determine payload activation, ensuring repeat users experience the full protestware ...
1 month ago Cybersecuritynews.com

SCS 9001 2.0 reveals enhanced controls for global supply chains - In this Help Net Security interview, Mike Regan, VP of Business Performance at TIA, discusses SCS 9001 Release 2.0, a certifiable standard crafted to assist organizations in operationalizing the NIST and other government guidelines and frameworks. ...
1 year ago Helpnetsecurity.com

5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
5 months ago Cybersecuritynews.com

UK, ROK sound alarm over North Korean supply chain attacks The Register - The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected ...
1 year ago Theregister.com Lazarus Group

Supply Chain Cybersecurity - CISO Risk Management Guide - As regulatory scrutiny intensifies and cyber threats grow more sophisticated, CISOs must adopt a proactive, strategic approach to supply chain cybersecurity risk management, making it a boardroom priority and an integral part of organizational ...
4 months ago Cybersecuritynews.com

NPM package ‘is’ with 2.8M weekly downloads infected devs with malware - On July 19, 2025, the package's primary maintainer, John Harband, announced that versions 3.3.1 through 5.0.0 contained malware and were removed roughly 6 hours after threat actors submitted them to npm. The popular NPM package 'is' has been ...
1 month ago Bleepingcomputer.com Snatch

Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack - On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository. We immediately notified the WordPress Plugin's Team and they removed the ...
1 year ago Wordfence.com

Malicious npm and PyPI Pose as Developer Tools to Steal Login Credentials - The researchers noted that the packages employ various exfiltration methods to transmit stolen credentials to threat actors, with react-native-scrollpageviewtest using Google Analytics as its exfiltration channel, while the PyPI packages leverage ...
4 months ago Cybersecuritynews.com

Securing the Supply Chain - Before a supply chain can be improved, it must be understood. Rather than attacking one target, it is more effective to manipulate the supply chain to gain access to multiple targets. The 2013 Target breach was an example of a supply chain attack, as ...
2 years ago Securityweek.com

Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors - Discovered in early 2025, several malicious npm packages have been masquerading as legitimate Telegram bot libraries to deliver SSH backdoors and exfiltrate sensitive data from unsuspecting developers. The malicious variants—node-telegram-utils, ...
4 months ago Cybersecuritynews.com

Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
1 year ago Itsecurityguru.org