SecurityWeek

136 NPM Packages Delivering Infostealers Downloaded 100,000 Times

For the past four months, over 130 malicious NPM packages deploying information stealers have been collectively downloaded ...

JFrog discloses CVSS 9.8 React vulnerability putting millions of developers at risk

Security researchers at software supply chain company JFrog Ltd. today revealed details of a critical vulnerability in React, ...
The Hacker News

Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks

The vulnerability, tracked as CVE-2025-11953, carries a CVSS score of 9.8 out of a maximum of 10.0, indicating critical severity. It also affects the "@react-native-community/cli-server-api" package ...
Hackaday

PhantomRaven Attack Exploits NPM’s Unchecked HTTP URL Dependency Feature

Having another security threat emanating from Node.js’ Node Package Manager (NPM) feels like a weekly event at this point, ...

NPM flooded with malicious packages downloaded more than 86,000 times

Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection.
Security Boulevard

PhantomRaven: npm Malware Evolves Again

Published 3:00 p.m. ET on October 31, 2025; last updated 5:00 p.m. ET on October 31, 2025 This week, an open source malware campaign dubbed ‘PhantomRaven’ has run rampant, flooding the npm registry ...
Hosted on MSN

North Korean hackers release malware-ridden packages into npm registry

Security researchers spotted 67 malicious packages on npm The packages are part of the Contagious Interview campaign They are most likely deployed by North Korean attackers North Korean hackers have ...
Bleeping Computer

Popular 'coa' NPM library hijacked to steal user passwords

Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world. The 'coa' library, short for Command-Option-Argument, ...