#Npm

npm v12 Kills Auto-Run Scripts: What Developers Must Do

GitHub is finally disabling automatic lifecycle scripts in npm v12, forcing a major shift in dependency security.

Article · 1w ago1

North Korean Hackers Poison Mastra AI in npm Attack

The compromise of the Mastra AI framework exposes critical gaps between CI/CD provenance and registry-level publish permissions.

Article · 1w ago1

How a Fake LinkedIn Job Offer Delivered a Node Backdoor

Attackers are using stolen identities and malicious npm lifecycle scripts to target developers during the recruitment process.

Article · 2w ago4

Hundreds of AUR Packages Trojanized with Malicious npm Dependency

A widespread supply chain attack on the Arch User Repository injects an infostealer via malicious npm install scripts.

News · 2w ago0

npm v12 Is About to Stop Running Your Install Scripts — Here's What to Audit

The next npm major flips lifecycle scripts, Git, and remote-URL dependencies from opt-out to opt-in. The warnings are already live in 11.16.0, so you have until July to find out what breaks.

News · 2w ago5

Miasma Worm Hits Microsoft Packages Twice in Weeks — and Your SLSA Provenance Won't Save You

The Miasma credential stealer has now compromised the same Microsoft GitHub account twice, defeating cryptographic supply-chain guarantees and triggering silently when developers open packages in AI coding agents.

Article · 2w ago1

Config Files That Run Code: The Supply Chain Blind Spot Nobody Is Auditing

The Miasma worm didn't need a malicious dependency. It used .claude/settings.json, .vscode/tasks.json, and package.json to detonate a credential stealer — before you read a single line of code.

Article · 3w ago0

Config Files That Run Code: The Supply Chain Blindspot You're Probably Not Auditing

The Miasma worm hid a credential-stealing dropper inside ordinary config files for VS Code, Cursor, Claude Code, Gemini CLI, npm, Composer, and Bundler. Here's exactly how each vector works — and what to review before you clone.

Article · 3w ago0