
The popular NPM package 'is' has been compromised in a supply chain attack that injected backdoor malware, giving attackers full access to compromised devices.
Introducing node-cmd-exec for Node.js!
Run shell commands like a pro, async or sync, Promises & callbacks supported, zero dependencies.
Unleash the full power of Node.js scripting!
Star the repo - your support means a lot!
npm: https://www.npmjs.com/package/node-cmd-exec
GitHub: https://github.com/DhanushNehru/node-cmd-exec
+
Like + RT for reach.
https://www.europesays.com/de/292667/ Beliebtes JavaScript-Paket is: Malware durch Supply-Chain-Angriff #Deutschland #Germany #IT #JavaScript #Malware #npm #Science #Science&Technology #SupplyChain #Technik #Technology #Wissenschaft #Wissenschaft&Technik
High-Value NPM Developers Compromised in New Phishing Campaign https://www.securityweek.com/high-value-npm-developers-compromised-in-new-phishing-campaign/ #SupplyChainSecurity #SupplyChain #phishing #NPM
High-Value NPM Developers Compromised in New Phishing Campaign https://www.securityweek.com/high-value-npm-developers-compromised-in-new-phishing-campaign/ #SupplyChainSecurity #SupplyChain #phishing #NPM
@static @Noisecolor TBH, #npm suffers the same problems and then some as #AUR and has seen it's fair share of #abuse and #CyberVandalism ranging from malicious commits to flat-out #malware distribution, so it has the #centralization problem!
The JS ecosystem really never disappoints.
«Jordan Harband alerted the public that the is package was compromised due to another maintainer’s account being hijacked»
«Socket has confirmed both 3.3.1 and 5.0.0 of the is package as malicious.»
https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack
#NPM package 'is' with 2.8M weekly
downloads was compromised and infected developers with malware:
#AppSec
#SoftwareSupplyChainSecurity
https://www.bleepingcomputer.com/news/security/npm-package-is-with-28m-weekly-downloads-infected-devs-with-malware/
Heads up, developers! A major npm Registry security breach has compromised 847 packages. Social engineering gave attackers access to maintainer accounts. Stay vigilant!
#Cybersecurity #DevSecOps #npm
Centralization in package registries is really problematic: The CSS preprocessor stylus has been flagged as malicious on #npm. So thousands of people and software projects which depend on this package are now failing. All because a completely unrelated software package for "Stylus input" in #ChromeOS seems to be problematic. Seems that they're just flagging packages with "stylus" in their name. #WebDev
If your npm-related builds are failing...
Someone flagged stylus to be a compromised package, and webpack (sometimes) depends on it.
It's going to be a fun day in many places, I suspect (among others, our pipelines also are dead right now :)).
#npm #webpack #stylus #security #buildFailingLikeAFlakyTest
https://www.npmjs.com/package/stylus
https://github.com/stylus/stylus/issues/2938
Scavenger Malware Compromises Popular npm Packages
The popular npm package eslint-config-prettier was recently published without authorization raising concerns of a supply chain attack.
Pulse ID: 688039a7818cda8d24f2977c
Pulse Link: https://otx.alienvault.com/pulse/688039a7818cda8d24f2977c
Pulse Author: cryptocti
Created: 2025-07-23 01:23:51
Be advised, this data is unverified and should be considered preliminary. Always do further verification.