The Bitwarden CLI was briefly compromised after attackers uploaded a malicious @bitwarden/cli package to npm containing a credential-stealing payload capable of spreading to other projects.

Self-propagating npm worm steals tokens via postinstall hooks, impacting six packages and expanding supply chain attacks.

Hackers hijacked the npm account of the Axios package, a JavaScript HTTP client with 100M+ weekly downloads, to deliver remote access trojans to Linux, Windows, and macOS systems. One malicious ...

Security companies flagged axios@1.14.1 and 0.30.4 as compromised, urging credential rotation and rollback of affected packages. Update March 31, 2026, 1:28 pm UTC: This article has been updated to ...

A widely used JavaScript package used with over a hundred million weekly downloads has been compromised in a new supply chain attack to fetch a malware payload for Windows, Linux systems and macOS ...

Attackers stole a long-lived npm token from the lead axios maintainer and published two poisoned versions that drop a cross-platform RAT. Axios sits in 80% of cloud environments. Huntress confirmed ...

Ethereum and Solana developers were targeted by five malicious npm packages that steal private keys and send them to the attacker. The packages rely on typosquatting, mimicking legitimate crypto ...

Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with content, and download exclusive resources. Dany Lepage discusses the architectural ...

Anthropic, the American artificial intelligence company behind the Claude family of AI models, has once again inadvertently exposed the complete source code of its AI coding tool, Claude Code, through ...