The GlassWorm supply-chain campaign has returned with a new, coordinated attack that targeted hundreds of packages, ...

GlassWorm campaign used 72 malicious Open VSX extensions and infected 151 GitHub repositories, enabling stealth supply-chain attacks on developers.

Researchers at Endor Labs uncovered 88 new packages tied to new waves of the campaign, which uses remote dynamic dependencies to deliver credential-stealing malware.

Malicious npm package '@openclaw-ai/openclawai' downloaded 178 times installs GhostLoader RAT, stealing credentials and crypto wallets.

New attack waves from the 'PhantomRaven' supply-chain campaign are hitting the npm registry, with dozens of malicious packages that exfiltrate sensitive data from JavaScript developers.

An experimental Rust compiler is intended to replace the previous Go compiler, and the Astro dev server now supports custom runtimes.

On September 17, 2025, Cybersecurity researchers uncovered the first real-world case of a malicious Model Context Protocol (MCP) server embedded in an npm package called postmark-mcp. The package, ...

A potential npm supply chain disaster was averted in record time after attackers took over a verified developer’s credentials. On September 8, Josh Junon, a developer with over 1800 GitHub ...

In package.json it is possible to highlight package description and it's newest version. However this does not work for packages installed from custom configured npm ...