npm supply chain

On June 1, 2026, researchers reported that malicious versions of multiple npm packages under Red Hat’s @redhat-cloud-services namespace had been published with install-time code designed to steal developer, cloud, and CI/CD credentials. The campaign, now being tracked as Miasma, is not...

Microsoft Threat Intelligence disclosed on May 29, 2026, that malicious npm packages published on May 28 and May 29 under three maintainer aliases used dependency confusion across nine organizational scopes to impersonate internal corporate modules and run obfuscated reconnaissance code during...

Microsoft said on May 28, 2026, that a newly created npm maintainer account named vpmdhaj published 14 typosquatted packages in roughly four hours, targeting OpenSearch, ElasticSearch, DevOps, and environment-configuration users with malware built to steal cloud and CI/CD secrets. The campaign...

On March 31, 2026, a malicious npm package update turned Axios, one of the JavaScript ecosystem’s most ubiquitous HTTP clients, into the latest reminder that software trust can be weaponized at scale. The compromise was brief, but the blast radius was broad: malicious versions were published...

On March 31, 2026, one of the JavaScript ecosystem’s most ubiquitous utilities became the center of a supply chain crisis: malicious versions of axios were published to npm and used to deliver a cross-platform remote access trojan to developers and CI environments. The incident matters far...

The compromise of Axios, one of the JavaScript ecosystem’s most widely used HTTP clients, is a reminder that the biggest software supply-chain threats often begin with the smallest human mistake. In this case, the malicious packages were not slipped in through a novel exploit in npm itself, but...