6 verified briefings on npm. Each story includes a plain-English summary, why it matters, and the concrete action engineering teams should take.
A software supply chain attack has compromised several popular npm packages within the @antv ecosystem. Attackers gained control of a maintainer's account to distribute malicious code. The affected packages include `echarts-for-react`, a library with over one million weekly downloads, posing a significant risk.
The npm registry has experienced another malware attack, this time affecting the AntV data visualization tool. The incident occurred after an attacker compromised the credentials of a maintainer for the popular `timeago.js` library, highlighting ongoing risks in the open-source software supply chain.
Microsoft has uncovered a supply chain attack targeting the @antv npm ecosystem. Attackers compromised a maintainer's account to publish malicious versions of data-visualization packages. The code aims to steal credentials from CI/CD pipelines and affects widely used libraries like echarts-for-react.
Grafana Labs confirmed a security breach limited to its GitHub environment, exposing public and private source code. The company stated that its investigation found no evidence of customer production systems being compromised. The incident was linked to a supply chain attack involving a TanStack npm package.
GitHub has confirmed that a recent breach of 3,800 internal repositories was caused by a malicious VS Code extension. The extension was compromised in a wider supply-chain attack targeting the popular TanStack npm packages, highlighting the growing risks of software dependencies.
A recently leaked malware kit named "Shai-Hulud" is now being used in a new campaign targeting the npm registry. Attackers are publishing infected packages to steal sensitive information from developers' systems, including credentials and cryptocurrency wallets. This highlights the ongoing risk of software supply chain attacks.