5 ways to spot software supply chain attacks and stop worms - before it's too late

A Dune-inspired worm recently hit CrowdStrike and npm, infecting hundreds of packages. Here's what happened - and how to protect your code.
CSOonline

NPM JavaScript registry suffers massive influx of malware, report says

The NPM JavaScript registry has experienced a jump in malware, including packages related to data theft, crypto mining, botnets, and remote code execution, according to security company WhiteSource.
The Register on MSN

One line of malicious npm code led to massive Postmark email heist

MCP plus open source plus typosquatting equals trouble A fake npm package posing as Postmark's MCP (Model Context Protocol) ...
Bleeping Computer

GitHub finds 7 code execution vulnerabilities in 'tar' and npm CLI

GitHub security team has identified several high-severity vulnerabilities in npm packages, "tar" and "@npmcli/arborist," used by npm CLI. The tar package receives 20 million weekly downloads on ...
Threat Post

NPM Package Steals Passwords via Chrome’s Account-Recovery Tool

In another vast software supply-chain attack, the password-stealer is filching credentials from Chrome on Windows systems via ChromePass. A credentials-stealing code bomb that uses legitimate password ...