Microsoft

From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet

A poisoned npm package infected 140+ projects with a hidden payload. This report highlights how to detect, hunt, and defend ...
The Next Web

OpenAI says no user data was touched in the TanStack npm worm

Two corporate laptops, some credential material, and a forced macOS app update. The interesting part is how the malicious packages got published in the first place: not by a stolen npm password, but ...
Tech Times

npm Supply Chain Attack: North Korea Backdoored 144 AI Packages in 88 Minutes

Mastra AI’s 144 JavaScript packages was executed in just 88 minutes by North Korea’s Sapphire Sleet hacking group, which ...

Red Hat hit by npm supply‑chain attack - here's how to stay safe

Red Hat hit by npm supply‑chain attack - here's how to stay safe ...

npm tackles its riskiest security issues

With npm v12, GitHub closes a central attack vector: installation scripts from dependencies will only run after explicit approval from July 2026.