JFrog found malicious npm packages that deploy a Windows RAT to steal Chrome credentials, run commands, and transfer files.

Mastra npm packages added easy-day-js malware, exposing developer systems and CI runners to infostealer risks.

Microsoft says latest attack targets Leo Platform and RStreams packages, harvesting creds and going after more maintainers ...

Microsoft links the recent Mastra AI npm supply chain attack to , a North Korean group known for cryptocurrency theft ...

A poisoned npm package infected 140+ projects with a hidden payload. This report highlights how to detect, hunt, and defend ...

For a few critical days at the end of April 2026, thousands of developers building SAP integrations unknowingly handed their passwords and cloud credentials to attackers. Four widely used npm packages ...

The popular Mastra AI framework, used to build artificial intelligence agents, workflows and retrieval-augmented generation ...

The NPM JavaScript registry has experienced a jump in malware, including packages related to data theft, crypto mining, botnets, and remote code execution, according to security company WhiteSource.

In a newly discovered supply chain attack, attackers last week targeted a range of npm-hosted JavaScript type testing utilities, several of which were successfully compromised to distribute malware.

A npm package copying the official ‘postmark-mcp’ project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users' email communication. Published by a ...

Multiple npm packages published by the crypto exchange, dYdX, and used by at least 44 cryptocurrency projects appear to have been compromised. Powered by the Ethereum blockchain, dydX is a ...