The incident has been described as one of the most significant code leaks in recent times, involving the exposure of Claude Code.

Updated: Hijacked maintainer account let attackers slip cross-platform trojan into 100M-downloads-a-week Axios ...

Up to four npm packages on Axios were replaced with malicious versions, in one of the most sophisticated supply chain attacks.

A new malicious npm campaign using fake installation logs to hide malware activity has been identified by security researchers. The attacks, discovered by ReversingLabs, involve malicious packages ...

New attack waves from the ‘PhantomRaven’ supply-chain campaign are hitting the npm registry, with dozens of malicious packages that exfiltrate sensitive data from JavaScript developers. The campaign ...

Security researchers have uncovered a new supply chain attack targeting the NPM registry with malicious code that exhibits worm-like propagation capabilities. Dubbed Sandworm_Mode, the attack was ...

A new security bypass has users installing AI agent OpenClaw — whether they intended to or not. Researchers have discovered that a compromised npm publish token pushed an update for the widely-used ...

The typosquatted packages auto-execute on installation, fingerprint victims by IP, and deploy a PyInstaller binary to harvest credentials from browsers, SSH keys, API tokens, and cloud configuration ...