In the wake of the massive Shai-Hulud supply chain attack that ripped through npm late last year and compromised more than 700 packages and exposed 25,000 repositories, developers in the JavaScript world embraced a two-part defense strategy. The widely adopted playbook called for disabling lifecycle scripts and using lockfiles. “It became the standard advice everywhere […]
Attackers Testing New Strain of Shai-Hulud on npm: Aikido
Threat actors behind the virulent Shai-Hulud worm that wreaked havoc in open npm repositories toward the end of 2025 apparently are trying out a new strain that comes with slight modifications. Security researchers with Aikido Security, who have been tracking Shai-Hulud for months, wrote in a report that was updated January 2 that there doesn’t […]
Malicious VS Code Extensions Take Screenshots, Steal Info
Developers were the targets of two new malicious Microsoft Visual Studio Code (VS Code) extensions created by a threat actor that security researchers believe is experimenting with methods for delivering information-stealing malware to the victims’ systems. The malicious extensions come posing as a harmless “premium dark theme” and an AI-powered coding assistant, but both – […]
Malicious Nx Packages Used in Two Waves of Supply Chain Attack
The Nx build system was hit by a supply chain attack dubbed “s1ngularity,” leaking thousands of secrets and exploiting AI tools for data theft.
npm is Scam-Spam Cesspool ¦ Google in Microsoft Antitrust Thrust
In this week’s #TheLongView: The npm registry suffers spam infestation, and Microsoft makes Google sad.
Speed NPM Releases and Gain Confidence Using an NPM Registry
Building applications in the NPM development life cycle can be very complex. Let’s review the main factors that contribute to this complexity: An endless number of variables: Building applications involves a huge number of variables. Not only are there locally installed dependencies in the package.json (which should use absolute versions for each dependency), but there […]