As a worm spread through hundreds of npm packages in 2025, it didn't exploit a vulnerability – it exploited the architecture.

Forbes contributors publish independent expert analyses and insights. A serious security breach has sent shockwaves through both everyday online services and the cryptocurrency world. At the center is ...

Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection. The finding, ...

At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved ...

Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world’s biggest supply-chain attack ever. “Sorry everyone, I should ...

When a token with publishing rights was stolen, multiple poisoned Nx variants were released The malware stole secrets and other important data The attack lasted a few hours, but could be causing ...

The latest version also executes malicious code during the preinstall phase, and is bigger and faster than the first wave, say researchers. A new version of the Shai-Hulud credentials-stealing ...

A second wave of the Shai-Hulud supply-chain attack has struck the npm software ecosystem, affecting more than 25,000 projects and hundreds of developers, Israeli tech firm Sola Security announced on ...

The typosquatted “@acitons/artifact” package targeted GitHub’s CI/CD workflows, stealing tokens and publishing malicious artifacts under GitHub’s own name. A ...

If you needed another reminder that our software supply chains are only as strong as their smallest link, the JavaScript ecosystem delivered it. In early September, attackers phished the NPM account ...