Self-propagating supply chain attack hits 187 npm packages

A recent security incident has revealed a self-propagating supply chain attack impacting 187 npm packages, posing significant risks to the JavaScript development ecosystem. This attack leverages malicious code injection into widely used npm packages, enabling the threat actors to spread malware rapidly across numerous projects and environments. The compromised packages serve as a vector for distributing malicious payloads, potentially leading to data breaches, unauthorized access, and system compromise for developers and organizations relying on these dependencies. The attack underscores the critical need for enhanced security measures in open-source software supply chains, including rigorous package vetting, continuous monitoring, and adoption of automated security tools to detect anomalies early. Developers are urged to audit their dependencies, update to clean package versions, and implement strict security policies to mitigate the impact of such supply chain threats. This incident highlights the evolving tactics of cybercriminals targeting software supply chains and the importance of community vigilance and collaboration to safeguard the integrity of open-source ecosystems.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 16 Sep 2025 16:50:24 +0000

Cyber News related to Self-propagating supply chain attack hits 187 npm packages

CVE-2024-56649 - In the Linux kernel, the following vulnerability has been resolved: net: enetc: Do not configure preemptible TCs if SIs do not support Both ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure MQPRIO. And enetc_setup_tc_mqprio() calls ...
9 months ago Tenable.com

Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
1 year ago Feeds.dzone.com

Self-propagating supply chain attack hits 187 npm packages - A recent security incident has revealed a self-propagating supply chain attack impacting 187 npm packages, posing significant risks to the JavaScript development ecosystem. This attack leverages malicious code injection into widely used npm packages, ...
3 weeks ago Bleepingcomputer.com

New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs - A new open framework seeks to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack ...
2 years ago Csoonline.com

'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com

Supply Chain Worm Infects Hundreds of NPM Packages - A recent supply chain attack has compromised hundreds of NPM packages, posing significant risks to the JavaScript development community. This widespread infection involves malicious actors injecting harmful code into popular open-source libraries, ...
3 weeks ago Infosecurity-magazine.com

Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
6 months ago Cybersecuritynews.com Lazarus Group

Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com

CISA Announces Renewal of the Information and Communications Technology Supply Chain Risk Management Task Force - The Task Force, chaired by CISA's National Risk Management Center and the Information Technology and Communications Sector Coordinating Councils, is a public-private partnership composed of a diverse range of representatives from public and private ...
1 year ago Cisa.gov

Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com

New Supply Chain Attack Leveraging Python Package Index Targeting Wacatac Trojan - A new supply chain attack has recently been detected targeting Python Package Index (PyPI) users with the Wacatac Trojan. This attack is seen as the latest in a series of advanced persistent threats (APT) targeting the escalating use of Python in ...
2 years ago Securityweek.com

NPM Supply Chain Attack via ctrl-tinycolor Package Exposes Thousands of Projects - A recent supply chain attack targeting the npm ecosystem has been uncovered, involving the malicious ctrl-tinycolor package. This incident highlights the growing threat of supply chain compromises in open-source software repositories. The attacker ...
3 weeks ago Cybersecuritynews.com

Tensorflow Supply Chain Compromise via Self-Hosted Runner Attack - Let's say TensorFlow wants to run a set of tests when a GitHub user submits a pull request. TensorFlow can define these tests in a yaml workflow file, used by GitHub Actions, and configure the workflow to run on the `pull request` trigger. One type ...
1 year ago Securityboulevard.com

5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
6 months ago Cybersecuritynews.com

npm 'accidentally' removes Stylus package, breaks builds and pipelines - Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code. BleepingComputer ...
2 months ago Bleepingcomputer.com

UK, ROK sound alarm over North Korean supply chain attacks The Register - The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected ...
1 year ago Theregister.com Lazarus Group

Supply Chain Cybersecurity - CISO Risk Management Guide - As regulatory scrutiny intensifies and cyber threats grow more sophisticated, CISOs must adopt a proactive, strategic approach to supply chain cybersecurity risk management, making it a boardroom priority and an integral part of organizational ...
5 months ago Cybersecuritynews.com

SCS 9001 2.0 reveals enhanced controls for global supply chains - In this Help Net Security interview, Mike Regan, VP of Business Performance at TIA, discusses SCS 9001 Release 2.0, a certifiable standard crafted to assist organizations in operationalizing the NIST and other government guidelines and frameworks. ...
1 year ago Helpnetsecurity.com

Hackers hijack NPM packages with 2 billion weekly downloads in supply chain attack - In a significant supply chain attack, hackers have compromised popular NPM packages that collectively boast over 2 billion weekly downloads. This incident highlights the growing threat of supply chain vulnerabilities in the software development ...
1 month ago Bleepingcomputer.com

Self-Replicating Shai Hulud Worm Infects NPM Packages - The recent discovery of the self-replicating Shai Hulud worm targeting NPM packages marks a significant escalation in supply chain attacks within the software development ecosystem. This worm propagates by injecting malicious code into JavaScript ...
3 weeks ago Darkreading.com

Shai-Halud Supply Chain Attack: A New Threat to Cybersecurity - The Shai-Halud supply chain attack represents a significant escalation in cyber threats targeting global supply networks. This sophisticated attack exploits vulnerabilities in software supply chains, allowing threat actors to infiltrate multiple ...
3 weeks ago Cybersecuritynews.com

3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com

GitHub tightens npm security with mandatory 2FA for access tokens - GitHub has announced a significant security enhancement for npm package maintainers by mandating two-factor authentication (2FA) for all access tokens. This move aims to bolster the security of the npm ecosystem, which is critical given the ...
2 weeks ago Bleepingcomputer.com

Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
1 year ago Itsecurityguru.org