Malicious npm Packages Used Against Tech And Energy Sectors

A sophisticated phishing campaign named Beamglea has been using 175
malicious npm packages over 26,000 downloads that abused npm and the
unpkg[.]com CDN to host redirect scripts.

Pulse ID: 68e9c7a92eaacc3f6148c301
Pulse Link: https://otx.alienvault.com/pulse/68e9c7a92eaacc3f6148c301
Pulse Author: cryptocti
Created: 2025-10-11 02:57:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CDN #CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #Phishing #bot #cryptocti

lmao now legitimate security emails from NPM are considered phishing. What a shitshow.

#NPM #JavaScript #security

🛠️ Show HN: Cung cấp bản dựng tĩnh cho các thư viện mã nguồn mở phổ biến trên npmjs.org. Dự án giúp giảm thời gian biên dịch và tăng tính ổn định cho các package. Hãy xem và đóng góp nhé! #OpenSource #npm #StaticBuild #PhầnMềmMãNguồnMở #npmjs #CôngCụPhátTriển

https://github.com/ffilibs/poc

@antfu Thanks for your work to explore #pnpm catalogs. I agree that this is especially useful to document how and when to update certain dependencies.

Some are safe to change (testing and dev deps), and others require careful review (runtime production dependencies with access to sensitive data).

Looking forward to how this develops over time. This could create big improvements for #JavaScript and #TypeScript projects.

https://antfu.me/posts/categorize-deps

#web #webdev #frontend #npm

possibly unpopular opinion: I think npm should remove postinstall scripts as a feature entirely. All it's used for is downloading and extracting archives, which could be done with a new dedicated feature, or malware.

#npm

Plugin vulnerability exploited! Get the inside scoop on the Postmark MCP attack and what it means for supply chain security.#PostmarkMCP #npm #supplyChainSecurity
https://jpmellojr.blogspot.com/2025/10/the-postmark-mcp-server-attack-5-key.html

I completely missed this from a few weeks back - Github/NPM responding to the Shai-Hulud attack on npm libraries:

https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/

#SupplyChainAttack #ShaiHulud #npm #GitHub

»npm als Sicherheitsrisiko — Warum Angriffe zunehmen und wie man vorbeugen kann:
npm bleibt anfällig für Supply-Chain-Angriffe. Woran liegt das, was tun npm und GitHub dagegen und wie kann man seine eigenen Projekte schützen?«

Ich pers. bin kein JavaScript Freund aber nutze es für Web-Anwendungen. Ja es ist aufwändig die Libs und deren Abhängigkeiten durchzusehen und hindert leider auch von Hackern nicht.

🔧 https://www.heise.de/blog/npm-als-Sicherheitsrisiko-Warum-Angriffe-zunehmen-und-wie-man-vorbeugen-kann-10590859.html

#webdev #npm #javascript #typescript #js #ts #supplychain #sec

@michalfita @anselmschueler @renormalist @aliceif @bill88t @BrodieOnLinux @AsahiLinux @landley

Yeah the extensive dependency on #Cargo and poorly declared or undeclared dependencies ain't a failure of #Rust entirely...

• Rather it's 99% the blame of #developers and 1% the blame of Rust for normalizing this Internet-centric setup, which had been introduced with even worse systems like #pip and #npm but that's beyond the scope of my criticism.

Point is I want to develop @OS1337 into a minimalist #toybox + #musl / #linux distro which excels with #minimalism and #Reproduceability of everything.

• This does make things more convoluted since it basically means that every application needs to be it's own, self-contained & statically linked binary, but alas this is more of an edge-case than the norm.

https://bun.com/ - #Bun is a drop-in replacement for #Node and #NPM, has full #TypeScript support, and uses package.json.

Des bonnes pratiques pour publier des packages JavaScript sur npm.

🔗 https://e18e.dev/docs/publishing.html

#npm #goodpractice #package #JavaScript

🚀 In the latest episode of "You're Doing #Rails Wrong," Kevin and John discover that Rails now requires a PhD in #Dependency #Management. 🎓🤔 Apparently, all you need is to master #Node, #npm, #Vite, #React, and TypeScript—simple, right? 🙄 Because who doesn't love spending their weekends configuring scripts that replace perfectly good built-in tools? 🤷‍♂️
https://www.bananacurvingmachine.com/articles/you-re-doing-rails-wrong #TypeScript #HackerNews #ngated

GitHub's plan for a more secure #npm supply chain

👉 https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/

🌗 因協助 lodash 貢獻安全改進而被封鎖的經驗
➤ 一次關於開源貢獻、安全機制與被封鎖經歷的深入剖析
✤ https://c.ruatta.com/on-being-blocked-from-contributing-to-lodash/
作者欲為極受歡迎的 JavaScript 套件 lodash 貢獻以提升其供應鏈安全，透過 GitHub Actions 實現套件發佈時加入「provenance」（來源證明）機制。然而，作者在嘗試提交 Pull Request 後，發現其 GitHub 帳號遭到 lodash 專案封鎖，無法創建 Issues 或進行 Watch 等操作。儘管作者試圖透過 GitHub Issue、Forked Repo 標記以及直接電子郵件聯繫專案維護者，均未獲回應。作者從這次挫折中學到，開源專案維護者並無義務接受貢獻，且在投入大量時間前，應先透過溝通了解專案的現況與維護者的意願，避免重複勞動。
+ 這篇文章分享了寶貴的經驗，特別是對於新手貢獻者。瞭解專案的「
#開源貢獻 #軟體安全 #npm #lodash #Github Actions #供應鏈安全

New post:

The npm “Shai-Hulud” supply-chain meltdown wasn’t a blip—it was a worm that jumped through CI/CD and secrets. I break down what happened and the fixes that actually work: rotate creds, freeze publishes, rebuild clean, block postinstall, and use short-lived OIDC creds.

https://www.kylereddoch.me/blog/the-npm-shai-hulud-supply-chain-meltdown-what-it-broke-what-it-means-and-what-we-fix-next/

#CyberSecurity #InfoSec #SupplyChain #npm #DevSecOps #AppSec #RiskManagement

🔒 If you publish packages to the npm registry and haven't already seen its new Trusted Publisher feature, please do take a look at https://docs.npmjs.com/trusted-publishers

🎟️ It uses short-lived OIDC tokens to allow CI-based automation of signed publish-with-provenance.

📈 According to https://github.com/sxzz/npm-top-provenance I maintain 6 of the top 50 packages that use this feature, and those 6 packages combined have over 600 million downloads each month!

#OpenSource #NodeJS #npm

Amazing! Thanks to Claude Code, I was able to create and publish my very first npm package! It's an n8n Community Node for webpage content extraction, utilizing the cutting-edge Defuddle library.

https://www.npmjs.com/package/@michaelvanlaar/n8n-nodes-defuddle

#n8n #npm #javascript

Which npm Package Has the Largest Version Number?, by (not on Mastodon or Bluesky):

https://adamhl.dev/blog/largest-number-in-npm-package/

#npm #dependencies #versioning #semver

Mastering npx: A Cheatsheet for npm and Node.js Power Users, by (not on Mastodon or Bluesky):

https://web.archive.org/web/20251003185515/https://www.nodejs-security.com/blog/mastering-npx-cheatsheet-npm-nodejs-power-users

#npx #cheatsheets #examples #nodejs #npm

How to Install and Run ArchiveBox on Ubuntu VPS Server in 5 Minutes (Quick Start Guide) #archivebox #installguide #nodejs #npm #opensource #postgresql #python #selfhosting #selfhosted #ubuntu #vps #vpsguide #Cloud #Guides #VPS

How to Install and Run Archive...