The lurking code-bombs lift Discord tokens from users of any applications that pulled the packages into their code bases. A series of malicious packages in the Node.js package manager (npm) code ...

Traditional methods often involved using trusted services like GitHub or Google Drive to host harmful links, but now, by embedding commands within Ethereum smart contracts, attackers are able to ...

ReversingLabs discovered two NPM packages, colortoolsv2 and mimelib2, using Ethereum smart contracts to download malware.

Ethereum smart contracts used to hide URL to secondary malware payloads in an attack chain triggered by a malicious GitHub ...

GitHub security team has identified several high-severity vulnerabilities in npm packages, "tar" and "@npmcli/arborist," used by npm CLI. The tar package receives 20 million weekly downloads on ...

The popular Nx build system, boasting 4 million downloads each week, was exploited in the first supply chain breach to use AI ...

Bad actors using typo-squatting place 39 malicious packages in npm that went undetected for two weeks. How should the open source community respond?