The Hacker News

10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux

Ten typosquatted npm packages (Jul 4, 2025) delivered a 24MB PyInstaller info stealer using 4 obfuscation layers; ~9,900 ...
Dark Reading

Self-Replicating 'Shai-hulud' Worm Targets NPM Packages

A self-replicating malware is worming its way into open source software components. The malware's name is "Shai-hulud," presumably taking its name from the Dune sandworms, and it's particularly ...
CSO Online

Malicious packages in npm evade dependency detection through invisible URL links: Report

Researchers outline how the PhantomRaven campaign exploits hole in npm to enable software supply chain attacks.