NPM Packages Hijacked to Spread Malware: What You Need to Know

The recent hijacking of popular NPM packages has raised significant concerns in the cybersecurity community. Attackers have exploited vulnerabilities in widely used JavaScript libraries to distribute malware, putting countless developers and organizations at risk. This incident highlights the critical need for enhanced security measures in open-source software ecosystems. NPM, the Node Package Manager, is a vital tool for JavaScript developers, providing access to thousands of reusable packages. However, its popularity also makes it a prime target for cybercriminals seeking to inject malicious code into legitimate packages. The hijacked packages were modified to include malware that can steal sensitive information, execute unauthorized commands, or create backdoors for persistent access. Developers are urged to verify the integrity of packages before installation, use tools for dependency auditing, and stay informed about security advisories. Organizations should implement strict policies for third-party software usage and consider automated solutions to detect and mitigate supply chain attacks. This event underscores the broader challenge of securing the software supply chain, which has become a favored vector for sophisticated threat actors. By understanding the tactics used in these attacks, the cybersecurity community can better defend against future incidents and protect the integrity of software development processes.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 09 Sep 2025 05:55:14 +0000

Cyber News related to NPM Packages Hijacked to Spread Malware: What You Need to Know

How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 year ago Aws.amazon.com

How to Remove Malware + Viruses - Malware removal can seem daunting after your device is infected with a virus, but with a careful and rapid response, removing a virus or malware program can be easier than you think. We created a guide that explains exactly how to rid your Mac or PC ...
1 year ago Pandasecurity.com

'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
2 years ago Bleepingcomputer.com

What is Word Unscrambler In Gaming? - Are you tired of getting stuck on those tricky word puzzles in your favourite mobile game? Have you ever wished for a tool to help unscramble those seemingly impossible words? Look no further because the word unscrambler is here to save the day! This ...
2 years ago Hackread.com

NPM Packages Hijacked to Spread Malware: What You Need to Know - The recent hijacking of popular NPM packages has raised significant concerns in the cybersecurity community. Attackers have exploited vulnerabilities in widely used JavaScript libraries to distribute malware, putting countless developers and ...
4 months ago Cybersecuritynews.com

Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com

How to Protect Yourself From Phone Searches at the US Border | WIRED - Canadian authorities have updated travel guidance to warn of phone searches and seizures, some corporate executives are reconsidering the devices they carry, some officials in Europe continue to receive burner phones for certain trips to the US, and ...
8 months ago Wired.com

Malicious NPM packages fetch info-stealer for Windows, Linux, macOS - A recent cybersecurity investigation has uncovered malicious NPM packages that distribute an info-stealer malware targeting Windows, Linux, and macOS platforms. These packages, hosted on the popular Node Package Manager (NPM) repository, have been ...
2 months ago Bleepingcomputer.com

Hackers Created 250 npm Packages, Mimicking Popular AWS And Microsoft Projects - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
1 year ago Cybersecuritynews.com

Types of Malware and How To Prevent Them - Malware is one of the biggest security threats to any type of technological device, and each type of malware uses unique tactics for successful invasions. Even if you've downloaded a VPN for internet browsing, our in-depth guide discusses the 14 ...
1 year ago Pandasecurity.com

VMware vCenter RCE Vulnerability: What You Need to Know - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
1 year ago Securityboulevard.com

How to Set Up a VLAN in 12 Steps: Creation & Configuration - Each VLAN configuration process will look a little different, depending on the specifications you bring to the table, and some of these steps - particularly steps five through eight - may be completed simultaneously, in a slightly different order, or ...
2 years ago Esecurityplanet.com

New 'NKAbuse' Linux Malware Uses Blockchain Technology to Spread - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
2 years ago Hackread.com

Microsoft Teams External Access Abuses to Spread DarkGate Malware - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
1 year ago Hackread.com

5 Types of Crypto You Didn't Know Existed - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
1 year ago Hackread.com

5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
10 months ago Cybersecuritynews.com

Should I get CISSP Certified? - CISSP's reputation as a certification is for being 'a mile wide and an inch deep'. That's a limitation too - CISSP means you understand something, but not that you know how to do it. But the exam is a six-hour marathon consisting of a vast array of ...
1 year ago Securityboulevard.com

Fake hotel reservation phishing scam uses PDF links to spread MrAnon Stealer - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
2 years ago Hackread.com

YouTube Channels Hacked to Spread Lumma Stealer via Cracked Software - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
2 years ago Hackread.com

Less is more: Conquer your digital clutter before it conquers you - In case you missed it, last week was Data Privacy Week, an awareness campaign to remind everybody that any of our online activities creates a trail of data and that we need to better manage our personal information online. Increasingly, we live our ...
2 years ago Welivesecurity.com

3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com

New Linux Backdoor Attacking Linux Users Via Installation Packages - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
1 year ago Gbhackers.com

npm 'accidentally' removes Stylus package, breaks builds and pipelines - Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code. BleepingComputer ...
5 months ago Bleepingcomputer.com

The Invisible Storm: Why Cloud Malware Is Your Business's New WeatherEmergency - Protecting your business from cloud malware requires a fundamental shift in security thinking, as traditional defenses simply weren’t designed for these sophisticated airborne threats. Recent research by Cloud Storage Security identified ...
8 months ago Cybersecuritynews.com

Fake Lockdown Mode Exposes iOS Users to Malware Attacks - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
2 years ago Hackread.com