A six-minute attack compromised the trust model of modern JavaScript development, pushing 84 malicious package versions across 42 @tanstack packages via a legitimate release pipeline. The "worm" spread to over 170 packages on npm and PyPI, affecting over 518 million cumulative downloads and targeting credential theft.
Em 31 de março de 2026, a Anthropic publicou acidentalmente 513 mil linhas do código-fonte do seu agente Claude Code no npm devido a um erro de empacotamento. Este vazamento expôs a arquitetura interna, resultando em duas CVEs críticas que permitem execução remota de código e exfiltração de chaves API.
Malicious versions of the node-ipc npm package were found to contain stealer/backdoor payloads. The malware harvests credentials for AI tools and cloud services like AWS, Azure, and GCP, exfiltrating data via HTTPS and DNS.
npm has made private packages free, following a trend seen with GitHub where platforms drop container costs to zero to maintain lock-in. This shift enables monetization at the intelligence layer (e.g., AI features), a pattern seen in reverse with AI APIs like ChatGPT, which are now adding features around user data and customization.
An NPM supply chain attack bypassed GitHub's 2FA, compromising a developer's account and publishing malicious packages. This jeopardizes the JavaScript ecosystem, potentially impacting thousands of dependent projects, and highlights vulnerabilities in software supply chain security.
A sophisticated npm supply chain attack affected 42 TanStack packages, publishing 84 malicious versions within 6 minutes. The attackers exploited a dangerous GitHub Actions trigger, without needing stolen passwords.
This content offers a quick guide on npm defense in 30 seconds, aimed at developers. It provides essential security tips for coding projects.