A new security bypass has users installing AI agent OpenClaw — whether they intended to or not. Researchers have discovered that a compromised npm publish token pushed an update for the widely-used ...

Three JavaScript packages have been removed from the npm portal on Thursday for containing malicious code. According to advisories from the npm security team, the three JavaScript libraries opened ...

The module targets Claude Code, Claude Desktop, Cursor, Microsoft Visual Studio Code (VS Code) Continue, and Windsurf. It also harvests API keys for nine large language models (LLM) providers: ...

Over a dozen popular npm packages were compromised in a phishing-based supply chain attack The malware targeted crypto users by hijacking wallet addresses during transactions Some called it the most ...

The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers ...

Attackers have poisoned a code package on the npm registry in a novel way, hiding credential-stealing malware in steganographic QR codes embedded in a package purporting to offer a JavaScript utility.

A 'logical flaw' in the npm registry enabled authors of malicious packages to quietly add anyone and any number of users as 'maintainers' to their packages in an attempt to boost the trust in their ...

A security researcher and system administrator has developed a tool that can help users check for manifest mismatches in packages from the NPM JavaScript software registry. Last week, a former ...