开发者警惕!全球主流平台npm遭供应链投毒攻击:可窃取云密钥、SSH ...

快科技5月25日消息,今日,国家网络安全通报中心发文称,监测发现,全球主流JavaScript软件包管理平台npm遭“沙虫”(Shai-Hulud)供应链投毒攻击。 据通报,攻击者攻陷了npm官方维护者账户,并在短时间内批量投放大量恶意软件包,涉及300余个独立程序包的600余个恶意版本,影响多个热门开源项目。 当开发者安装恶意依赖包后,程序会自动在本地主机、CI/CD流水线环境执行恶意代码,窃取 ...

主流JavaScript软件包管理平台npm遭供应链投毒攻击

2026年5月25日,国家网络安全通报中心发布:监测发现,全球主流Java软件包管理平台npm遭“沙虫” ...
Microsoft

From package to postinstall payload: Inside the Mastra npm supply chain compromise by ...

A poisoned npm package infected 140+ projects with a hidden payload. This report highlights how to detect, hunt, and defend ...
The Hacker News

145 Mastra npm Packages Compromised via Hijacked Contributor Account

Mastra npm packages added easy-day-js malware, exposing developer systems and CI runners to infostealer risks.
Bitcoin Magazine

NPM Attack: Javascript Library Compromise Goes After Bitcoin Wallets

NPM developer qix's account compromise potentially puts user funds at risk by compromising library dependencies used by bitcoin wallets. A major NPM developer, qix, has had their account compromised.
InfoWorld

NPM: Free public JavaScript registry will continue

Is the public NPM JavaScript package registry going away? NPM, the company behind the popular online repository of Node.js and JavaScript code, insists it will remain, despite a recent rumor to the ...