npm 生态遭大范围投毒:TanStack、Mistral AI、UiPath 等受波及,可窃取云 ...

IT之家5 月 12 日消息,网络安全检测机构 Socket 于当地时间 5 月 11 日发出警报,在开源工具库 TanStack 旗下约 84 个 NPM 软件包的恶意版本中发现疑似凭证窃取恶意代码。 受影响软件包覆盖 42 个 @tanstack/* 命名空间下的项目,其中 @tanstack / react-router 的周下载量超 1200 万次,此类工具包在 NPM 生态中被广泛直接或 ...

周下载超 69 万次:热门 npm 包 node-ipc 被投毒,可窃取密码等敏感信息

IT之家5 月 16 日消息,科技媒体 NeoWin 昨日(5 月 15 日)发布博文,报道称 npm 热门包 node-ipc 遭遇新的供应链攻击,多个新发布版本被植入信息窃取恶意代码。 IT之家注:node-ipc 是一个 Node.js 模块,支持 Unix、Windows、UDP、TLS 和 TCP 等多种套接字通信。 这个进程间通信包在 npm 上每周下载量仍超过 690000 次,有大 ...
InfoQ

TanStack Details Sophisticated npm Supply Chain Attack That Compromised 42 Packages

TanStack has released a detailed postmortem describing a sophisticated supply-chain attack that compromised 42 npm packages ...
新浪网

主流 JavaScript 库 Axios 遭劫持,npm 被恶意注入远程控制木马

IT之家 3 月 31 日消息,安全研究机构 StepSecurity 昨天发文称,主流 JavaScript 库 Axios 的两个 npm 版本 axios@1.14.1、axios@0.30.4 被恶意植入远程控制代码。 IT之家在此援引 StepSecurity,黑客劫持了 Axios 核心维护者“jasonsaayman”的 npm 账号,将邮箱替换为匿名的 ProtonMail ...
Morning Overview on MSN

Three separate supply-chain attacks hit npm, PyPI, and Docker Hub within 48 hours — all ...

Sometime around the last week of May 2026, attackers uploaded poisoned packages to three of the most widely used software ...
Microsoft

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

Hulud payload to steal CI/CD secrets from Linux-based automation environments. The malware executes during npm install and ...
Bleeping Computer

Compromised JavaScript Package Caught Stealing npm Credentials

A hacker has gained access to a developer's npm account and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the ...
InfoWorld

Inside NPM: Building and sharing JavaScript packages

The Node Package Manager, NPM, has become a powerful and important tool, supporting many different JavaScript frameworks — including JQuery, AngularJS, and React JS. If you’re building JavaScript ...