Supply chain attack hits #npm package with 45,000 weekly downloads
#npm
5 posts5 participants0 posts today
npm Should Remove the Default License From New Packages (ISC), by @extremq.com:
https://extremq.com/npm-should-remove-the-default-license-from-new-packages-isc/
extremq.comnpm should remove the default license from new packages (ISC) powers an important chunk of websites and servers. notes that
Basically, with npm you can include code from other people in the form of packages. Howev...
Not sure if I should laugh at #Github #NPM or #WordPress here. Probably all three.
https://github.com/WordPress/gutenberg/blame/trunk/package-lock.json
Just updated my tSNE NPM package. I created a separate demo repository to make the main package much smaller:
https://www.npmjs.com/package/msvana-tsne
The msvana-tsne package is a JavaScript/TypeScript implementation of the t-SNE algorithm, designed to project high-dimensional data into lower dimensions for visualization purposes. It operates without external dependencies.
Here is a simple demo: https://msvana.github.io/tsne-demo/
npmmsvana-tsnetSNE is a dimension reduction and vector projection method. It's main use is in visualizing high-dimensional vectors, such as text embeddings, in 2D or 3D plots.. Latest version: 0.0.4, last published: 2 minutes ago. Start using msvana-tsne in your project by running `npm i msvana-tsne`. There are no other projects in the npm registry using msvana-tsne.
A decade of iImpact: How our #npm Packages hit 1 billion downloads and shaped #JavaScript
https://forwardemail.net/en/blog/docs/how-npm-packages-billion-downloads-shaped-javascript-ecosystem
A damned travesty we can't have #JSON5 for #Node or #npm config files. https://github.com/nodejs/node/issues/40714 & https://github.com/npm/feedback/discussions/56 - nobody dares be the prime mover. #JSON is just abysmal for anything humans need to work with.
GitHubSupport for JSON5 · Issue #40714 · nodejs/node
#Development #Announcements
GSAP is now 100% free · Good news for GSAP JavaScript animators https://ilo.im/163lnu
_____
#Animation #Toolset #GSAP #Library #JavaScript #Npm #WebDev #Frontend
Publish a #PHP package on #Packagist...
Package availability: almost instantaneous.
Publish a #JavaScript package on #npm...
Package availability: almost instantaneous.
Publish a #dotNET package on #NuGet...
Package availability: please wait 15-20 minutes!
It's been 5 years since a single #Javascript line broke half the Internet.
On April 25th, 2020 the one-line #npm package "is-promise" was changed by the author - and because this one line was a dependency for a myriad of websites, they all broke.
A package with one line of code ...
Backdoored xrpl.js on NPM (CVE‑2025‑32965) stole XRP private keys. Affected: 4.2.1‑4.2.4 & 2.14.2. Rotate keys NOW! 
https://zerodaily.me/blog/2025-04-23-xrpljs-backdoor-cve-2025-32965.md
ZeroDaily - Cybersecurity News · Backdoored xrpl.js NPM Package Steals Keys (CVE‑2025‑32965)Multiple versions of Ripple's official xrpl.js NPM package were compromised with malicious code designed to steal cryptocurrency private keys, affecting versions 4.2.1-4.2.4 and 2.14.2. Immediate key rotation is recommended.
#Development #Approaches
CSS theme variables from a JS file · How to avoid redundant theme maintenance https://ilo.im/163gg9
_____
#Themes #Colors #CustomProperties #CSS #JavaScript #Npm #WebDev #Frontend
CSS { In Real Life } | Creating CSS Theme Variables from a JS fileCSS { In Real Life } | Creating CSS Theme Variables from a JS file
Offical XRP NPM package has been compromised and key stealing malware introduced
www.aikido.devXRP Supplychain attack: Official NPM package infected with crypto stealing backdoorThe official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets.
How to Install #Directus on #AlmaLinux #VPS
Here's a step-by-step guide detailing how to install Directus on AlmaLinux VPS.
What is Directus?
Directus is an open-source #headless #CMS and data platform that allows you to manage and interact with your database through a RESTful API or GraphQL API. It provides a modern, user-friendly admin interface for ...
Continued https://blog.radwebhosting.com/how-to-install-directus-on-almalinux-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=ReviveOldPost #cmsapps #nodejs #npm #vpsguide #installguide #selfhosting #letsencrypt #selfhosted #postgresql
RadWeb, LLC · How To Install Directus On AlmaLinux VPS - VPS Hosting Blog | Dedicated Servers | Reseller HostingHere's a step-by-step guide detailing how to install Directus on AlmaLinux VPS.
Masquerading payment npm package installs backdoor https://www.developer-tech.com/news/masquerading-payment-npm-package-installs-backdoor/ #npm #javascript #developers #coding #programming #hacking #security #infosec #tech #news #technology
Developer Tech News · Masquerading payment npm package installs backdoorCybersecurity researchers at Socket have uncovered a malicious npm package that hijacks server control during payment transactions.
Atomic and Exodus crypto wallets targeted in malicious npm campaign
A malicious npm package named pdf-to-office was discovered targeting cryptocurrency wallets. The package, posing as a PDF to Office converter, injects malicious code into locally installed Atomic and Exodus wallets. This attack modifies legitimate files to redirect crypto funds to the attacker's wallet. The campaign shows persistence, as removing the malicious package doesn't remove the injected code from the wallets. Multiple versions of both wallets were targeted, with the attackers adapting their code accordingly. This incident highlights the growing scope of software supply chain risks, particularly in the cryptocurrency industry, and emphasizes the need for improved monitoring of both source code repositories and locally deployed applications.
Pulse ID: 67fd41f7af4b02a0fd75fb69
Pulse Link: https://otx.alienvault.com/pulse/67fd41f7af4b02a0fd75fb69
Pulse Author: AlienVault
Created: 2025-04-14 17:12:23
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
“slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem.
And now attackers are catching on.”
The Rise of Slopsquatting: How #AI Hallucinations Are Fueling... https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks #npm #dev #infosec
Edit: more info: https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/
SocketThe Rise of Slopsquatting: How AI Hallucinations Are Fueling...Slopsquatting is a new supply chain threat where AI-assisted code generators recommend hallucinated packages that attackers register and weaponize.
npm: 3 moderate severity vulnerabilities
me: npm audit fix --force
npm: 5 moderate severity vulnerabilities
AAAAAAAAAAAAAAAAAAAAA
Hoo boy am I tired of seeing messages in my browser's JavaScript from some deep transitive dependency of the app I work on, saying "We're about to remove support for <feature that a slightly less nested transitive dependency uses>, sucks to be you."
This whole developer ecosystem is a nightmare of endless compatibility problems, 90% of them trivially avoidable with a moment's thought.
"Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads" published by Socket. #BeaverTail, #ContagiousInterview, #Lazarus, #NPM, #DPRK, #CTI https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket
SocketLazarus Expands Malicious npm Campaign: 11 New Packages Add ...Lazarus-linked threat actors expand their npm malware campaign with new RAT loaders, hex obfuscation, and over 5,600 downloads across 11 packages.