Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

jfrog

Shai-Hulud npm supply chain attack - new compromised packages detected

Nov 24, 2025 By Andrey Polkovnichenko In JFrog
(Nov 24, 2025) JFrog continues to track, provide research and document another wave of the Shai-Hulud Software Supply Chain Attack which was originally reported by the JFrog Security Research team on 16-Sep-2025. Following the initial campaign, threat actors have returned with more advanced tactics, compromising an additional 796 new malicious packages across leading public registries.
Read Post
Top 10 Node.js Development Companies to Hire Skilled Developers

Top 10 Node.js Development Companies to Hire Skilled Developers

Nov 21, 2025 By SecuritySenses In SecuritySenses
Slow releases, sluggish web apps, and clunky user experiences can stall growth, frustrate customers, and make promising digital products lose momentum. Many businesses struggle with legacy stacks that are hard to scale, costly to maintain, and too slow to keep pace with modern feature demands. Node.js changes this equation by enabling fast, event-driven, and scalable backends that handle high traffic and real-time interactions with ease. Its vast ecosystem, reusable components, and JavaScript end-to-end approach help teams ship features faster, reduce context switching, and improve overall performance.
Read Post
veracode

Malicious NPM Package Found Targeting GitHub By Typosquatting on GitHub Action Packages

Nov 10, 2025 By Veracode Threat Research In Veracode
The package states it is for the GitHub Actions Toolkit, which has a legitimate npm package @actions/artifact. Therefore this malware package is a clear typosquat with the swapping of the letters “ti” for “it”. We took a look at the “harness” binary as indicated in version 4.0.13.
Read Post
cloudflare

How Cloudflare's client-side security made the npm supply chain attack a non-event

Oct 24, 2025 By Bashyam Anant In Cloudflare
In early September 2025, attackers used a phishing email to compromise one or more trusted maintainer accounts on npm. They used this to publish malicious releases of 18 widely used npm packages (for example chalk, debug, ansi-styles) that account for more than 2 billion downloads per week. Websites and applications that used these compromised packages were vulnerable to hackers stealing crypto assets (“crypto stealing” or “wallet draining”) from end users.
Read Post
veracode

NPM Account Compromise - Tracking the "Shai-Hulud" Worm

Sep 17, 2025 By Veracode Threat Research In Veracode
Amid growing reports from the security community, Veracode has been closely tracking the resurgence of a sophisticated threat actor behind the recent npm account compromise and the injection of malware into the widely-used ‘nx’ package. This evolved malware now exhibits worm-like capabilities, enabling it to spread rapidly and amplify its infectious impact across the ecosystem.
Read Post
mend

NPM Ecosystem Under Siege: Self-Propagating Malware Compromises 187 Packages in a Huge Supply Chain Attack

Sep 16, 2025 By Tom Abai In Mend
The NPM ecosystem has been rocked by one of its widest supply chain attacks to date, with over 187 popular packages compromised by advanced malware capable of self-propagation and automated credential harvesting. This attack, affecting packages with millions of weekly downloads including angulartics2, ngx-toastr, and @ctrl/tinycolor, demonstrates how cybercriminals are evolving their tactics to create “worm-like” malware that can autonomously spread across the software supply chain.
Read Post
signmycode

npm Supply Chain Attack: What Happened and How to Protect Your Software

Sep 11, 2025 By SignMyCode In SignMyCode
On September 8, 2025, a large-scale npm supply chain attack quickly compromised 18 popular packages (with the 18 packages representing more than 2.6 billion weekly downloads within the bioinformatics ecosystem). Attackers hijacked a maintainer’s account by impersonating npm support in a phishing campaign to upload backdoored versions of popular packages like chalk, debug, ansi-styles, and supports-color.
Read Post

Copyright © 2026 OpsMatters™. All rights reserved.