Hulud-like Sandworm_Mode supply chain attack targets NPM developers to steal secrets and poison AI assistants.
Researchers warn malicious packages can harvest secrets, weaponize CI systems, and spread across projects while carrying a ...
In today’s 2 Minute Tech Briefing, AI is speeding cyberattacks, cutting breach-to-exfiltration to 72 minutes. A compromised npm token slipped OpenClaw into the Cline CLI, granting wide system and chat ...
The malicious version of Cline's npm package — 2.3.0 — was downloaded more than 4,000 times before it was removed.
The module targets Claude Code, Claude Desktop, Cursor, Microsoft Visual Studio Code (VS Code) Continue, and Windsurf. It also harvests API keys for nine large language models (LLM) providers: ...
While the AI itself wasn’t weaponized, the technique raises concerns about AI agents with broad system access.
Tenable Research investigated a malicious package in the npm public registry named “amber-src” that underscores the rapid ...
The npm registry now includes Socket security analysis links directly on package pages to help developers assess supply chain risks.
As NPM is the package manager of Node.js, it is highly recommended to download the latest version of Node.js when you see the above-mentioned error. To download the ...
In a surprising move, the popular open source project, SheetJS aka "xlsx," has dropped support for the npm registry. Downloaded about 1.4 million times weekly on npm, SheetJS is relied upon by NodeJS ...
Researchers warn malicious packages can harvest secrets, weaponize CI systems, and spread across projects while carrying a dormant wipe mechanism.
Some results have been hidden because they may be inaccessible to you
Show inaccessible results