Kid@sh.itjust.worksM to Cybersecurity@sh.itjust.worksEnglish · 2 months agoNPM package ‘is’ with 2.8M weekly downloads infected devs with malwarewww.bleepingcomputer.comexternal-linkmessage-square3linkfedilinkarrow-up156arrow-down10cross-posted to: [email protected]
arrow-up156arrow-down1external-linkNPM package ‘is’ with 2.8M weekly downloads infected devs with malwarewww.bleepingcomputer.comKid@sh.itjust.worksM to Cybersecurity@sh.itjust.worksEnglish · 2 months agomessage-square3linkfedilinkcross-posted to: [email protected]
minus-squareHubertManne@piefed.sociallinkfedilinkEnglisharrow-up10·2 months agoholy crap: On July 19, 2025, the package’s primary maintainer, John Harband, announced that versions 3.3.1 through 5.0.0 contained malware and were removed roughly 6 hours after threat actors submitted them to npm.
holy crap:
On July 19, 2025, the package’s primary maintainer, John Harband, announced that versions 3.3.1 through 5.0.0 contained malware and were removed roughly 6 hours after threat actors submitted them to npm.