The Hacker News

Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials

Malicious npm package '@openclaw-ai/openclawai' downloaded 178 times installs GhostLoader RAT, stealing credentials and crypto wallets.
InfoQ

Vue Router 5: File-Based Routing Into Core with No Breaking Changes

Vue Router 5.0 has integrated unplugin-vue-router into its core, enhancing file-based routing and TypeScript support. This transition release boasts no breaking changes, simplifies dependencies, and ...
The Hacker News

Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens

The module targets Claude Code, Claude Desktop, Cursor, Microsoft Visual Studio Code (VS Code) Continue, and Windsurf. It also harvests API keys for nine large language models (LLM) providers: ...

Socket Announces Support for PHP with Composer and Packagist Integration

Developers Can Now Search, Analyze, and Secure PHP Dependencies with AI-Powered Supply Chain Protection It would be ...
Technobezz.com

Microsoft's VS Code Snap Package Fails to Delete Files on Linux

A bug in VS Code's Snap package leaves deleted files on Linux disks, exposing sensitive data due to a flawed local trash system. Low disk space from accumulating trash files can slow systems, editors, ...
Retail Dive

Saks Global files for bankruptcy, shakes up leadership after a year of struggles

Former Neiman Marcus Group chief Geoffroy van Raemdonck, now CEO, is bringing on a fresh slate of executives — and has a $1.75 billion financing package to work with. Saks Global’s new CEO is already ...
Bleeping Computer

Shai-Hulud malware infects 500 npm packages, leaks secrets on GitHub

Hundreds of trojanized versions of well-known packages such as Zapier, ENS Domains, PostHog, and Postman have been planted in the npm registry in a new Shai-Hulud supply-chain campaign. The malicious ...
Dark Reading

150,000 Packages Flood NPM Registry in Token Farming Campaign

Amazon researchers discovered more than 150,000 malicious packages in the NPM registry, in what they called "a defining moment in supply chain security." The packages were part of a token farming ...
SecurityWeek

Amazon Detects 150,000 NPM Packages in Worm-Powered Campaign

A financially motivated threat actor automated the package publishing process in a coordinated tea.xyz token farming campaign. More than 150,000 malicious packages were published in the NPM registry ...
SecurityWeek

Tens of Thousands of Malicious NPM Packages Distribute Self-Replicating Worm

The spam campaign is likely orchestrated by an Indonesian threat actor, based on code comments and the packages’ random names. A threat actor has published tens of thousands of malicious NPM packages ...
CSOonline

Malicious packages in npm evade dependency detection through invisible URL links: Report

Threat actors are finding new ways to insert invisible code or links into open source code to evade detection of software supply chain attacks. The latest example was found by researchers at ...