Search Results: npmSecurity

Attackers exploited NPM's Remote Dynamic Dependencies feature to stealthily distribute 126 credential-stealing packages downloaded over 86,000 times. The flaw allows malicious code to bypass security scans by fetching unvetted dependencies from external servers during installation. This sophisticated campaign targets developer credentials and CI/CD environments while evading traditional detection methods.

The ubiquitous JavaScript utility library 'is' with 2.8 million weekly downloads was compromised in a sophisticated supply chain attack, injecting backdoor malware that grants attackers remote code execution. Attackers hijacked maintainer accounts via phishing to publish malicious versions, impacting critical development tools and infrastructure across the ecosystem.

Popular JavaScript packages like eslint-config-prettier, with over 30 million weekly downloads, were compromised after a maintainer fell victim to a phishing scheme, leading to malware-infected versions targeting Windows systems. This incident underscores the escalating threat of supply chain attacks in open-source ecosystems and highlights critical security gaps for developers.