Search Results: npm

A new shell script leverages DataDog's curated indicators of compromise to help developers rapidly detect malicious packages in their Node.js dependencies, addressing critical supply chain security gaps.

Node’s ubiquitous package ecosystem hides a silent menace: post‑install scripts that can read, write, and exfiltrate user data. While Deno’s permission model marks a step forward, it falls short without OS‑level isolation. The article explores how macOS’s sandbox‑exec can be leveraged to harden Node, and why the community must demand deeper sandboxing for JavaScript runtimes.

A new wave of the Shai‑Hulud supply‑chain worm has infected dozens of npm packages, from Zapier to Postman, exploiting post‑install scripts to harvest secrets and re‑publish malicious code. The attack, timed before npm’s token revocation deadline, demonstrates the escalating sophistication of ecosystem‑wide threats and the urgent need for hardened dependency pipelines.

A sophisticated spam operation from Indonesia leveraged NPM’s open registry to hijack popular packages, inject malicious code, and self‑replicate across thousands of projects. The attack demonstrates how even well‑known libraries can become vectors for supply‑chain compromise, and it underscores the need for stricter publishing controls.

Attackers exploited NPM's Remote Dynamic Dependencies feature to stealthily distribute 126 credential-stealing packages downloaded over 86,000 times. The flaw allows malicious code to bypass security scans by fetching unvetted dependencies from external servers during installation. This sophisticated campaign targets developer credentials and CI/CD environments while evading traditional detection methods.

A fake 'postmark-mcp' npm package impersonating Postmark's AI email infrastructure secretly copied thousands of sensitive emails to attackers through a single backdoored line of code. The typosquatting attack compromised hundreds of developer workflows, exposing password resets, MFA codes, and confidential data. This incident highlights critical vulnerabilities in the emerging MCP ecosystem and npm's ongoing supply chain security challenges.