JavaScript | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered what has been described as the first-ever instance of a malicious Model Context Protocol ( MCP ) server spotted in the wild, raising software supply chain risks. According to Koi Security, a legitimate-looking developer managed to slip in rogue code within an npm package called " postmark-mcp " that copied an official Postmark Labs library of the same name. The malicious functionality was introduced in version 1.0.16, which was released on September 17, 2025. The actual "postmark-mcp" library, available on GitHub , exposes an MCP server to allow users to send emails, access and use email templates, and track campaigns using artificial intelligence (AI) assistants. The npm package in question has since been deleted from npm by the developer " phanpak ," who uploaded it to the repository on September 15, 2025, and maintains 31 other packages. The JavaScript library attracted a total of 1,643 downloads. ...

Think payment iframes are secure by design? Think again. Sophisticated attackers have quietly evolved malicious overlay techniques to exploit checkout pages and steal credit card data by bypassing the very security policies designed to stop them. Download the complete iframe security guide here .  TL;DR: iframe Security Exposed Payment iframes are being actively exploited by attackers using malicious overlays to skim credit card data. These pixel-perfect fake forms bypass traditional security, as proven by a recent Stripe campaign that has already compromised dozens of merchants. This article explores: Anatomy of the 2024 Stripe skimmer attack. Why old defenses like CSP and X-Frame-Options are failing. Modern attack vectors: overlays, postMessage spoofing, and CSS exfiltration. How third-party scripts in payment iframes create new risks. How the new PCI DSS 4.0.1 rules are forcing merchants to secure the entire page. A six-step defense strategy focusing on real-time mon...

GitHub on Monday announced that it will be changing its authentication and publishing options "in the near future" in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack . This includes steps to address threats posed by token abuse and self-replicating malware by allowing local publishing with required two-factor authentication (2FA), granular tokens that will have a limited lifetime of seven days, and trusted publishing , which enables the ability to securely publish npm packages directly from CI/CD workflows using OpenID Connect (OIDC). Trusted publishing, besides eliminating the need for npm tokens, establishes cryptographic trust by authenticating each publish using short-lived, workflow-specific credentials that cannot be exfiltrated or reused. Even more significantly, the npm CLI automatically generates and publishes provenance attestations for the package. "Every package published via trusted publi...

Google on Wednesday released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild. The zero-day vulnerability in question is CVE-2025-10585 , which has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine. Type confusion vulnerabilities can have severe consequences as they can be weaponized by bad actors to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes. Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on September 16, 2025. As is typically the case, the company did not share any additional specifics about how the vulnerability is being abused in real-world attacks, by whom, or the scale of such efforts. This is done to prevent other threat actors from exploiting the issue before users can apply a fix. "Google is aware that an exploit for CVE-2025-10585 exis...

Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers. "The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages," supply chain security company Socket said . The end goal of the campaign is to search developer machines for secrets using TruffleHog's credential scanner and transmit them to an external server under the attacker's control. The attack is capable of targeting both Windows and Linux systems. The following packages have been identified as impacted by the incident - angulartics2@14.1.2 @ctrl/deluge@7.2.2 @ctrl/golang-template@1.4.3 @ctrl/magnet-link@4.0.4 @ctrl/ngx-codemirror@7.0.2 @ctrl/ngx-csv@6.0.2 @ctrl/ngx-emoji-mart@...

The threat actors behind the SocGholish malware have been observed leveraging Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to sketchy content. "The core of their operation is a sophisticated Malware-as-a-Service (MaaS) model, where infected systems are sold as initial access points to other cybercriminal organizations," Silent Push said in an analysis. SocGholish, also called FakeUpdates, is a JavaScript loader malware that's distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, as well as other software such as Adobe Flash Player or Microsoft Teams. It's attributed to a threat actor called TA569, which is also tracked as Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543. Attack chains involve deploying SocGholish to establish initial access and broker that compromised system access to a diverse clientele, includ...

Cybersecurity researchers have flagged a malicious npm package that was generated using artificial intelligence (AI) and concealed a cryptocurrency wallet drainer. The package, @kodane/patch-manager, claims to offer "advanced license validation and registry optimization utilities for high-performance Node.js applications." It was uploaded to npm by a user named "Kodane" on July 28, 2025. The package is no longer available for download from the registry, but not before it attracted over 1,500 downloads. Software supply chain security company Safety, which discovered the library, said the malicious features are advertised directly in the source code, calling it an "enhanced stealth wallet drainer." Specifically, the behavior is triggered as part of a postinstall script that drops its payload within hidden directories across Windows, Linux, and macOS systems, and then proceeds to connect to a command-and-control (C2) server at "sweeper-monitor-produ...

Cybersecurity researchers are calling attention to an ongoing campaign that distributes fake cryptocurrency trading apps to deploy a compiled V8 JavaScript (JSC) malware called JSCEAL that can capture data such as credentials and wallets. The activity leverages thousands of malicious advertisements posted on Facebook in an attempt to redirect unsuspecting victims to counterfeit sites that instruct them to install the bogus apps, according to Check Point. These ads are shared either via stolen accounts or newly created ones. "The actors separate the installer's functionality into different components and most notably move some functionality to the JavaScript files inside the infected websites," the company said in an analysis. "A modular, multi-layered infection flow enables the attackers to adapt new tactics and payloads at every stage of the operation." It's worth noting that some aspects of the activity were previously documented by Microsoft in April 2...

The maintainers of the Python Package Index (PyPI) repository have issued a warning about an ongoing phishing attack that's targeting users in an attempt to redirect them to fake PyPI sites. The attack involves sending email messages bearing the subject line "[PyPI] Email verification" that are sent from the email address noreply@pypj[.]org (note that the domain is not " pypi[.]org "). "This is not a security breach of PyPI itself, but rather a phishing attempt that exploits the trust users have in PyPI," Mike Fiedler, PyPI Admin, said in a post Monday. The email messages instruct users to follow a link to verify their email address, which leads to a replica phishing site that impersonates PyPI and is designed to harvest their credentials. But in a clever twist, once the login information is entered on the bogus site, the request is routed to the legitimate PyPI site, effectively fooling the victims into thinking that nothing is amiss when, in r...

React conquered XSS? Think again. That's the reality facing JavaScript developers in 2025, where attackers have quietly evolved their injection techniques to exploit everything from prototype pollution to AI-generated code, bypassing the very frameworks designed to keep applications secure. Full 47-page guide with framework-specific defenses (PDF, free). JavaScript conquered the web, but with that victory came new battlefields. While developers embraced React, Vue, and Angular, attackers evolved their tactics, exploiting AI prompt injection, supply chain compromises, and prototype pollution in ways traditional security measures can't catch. A Wake-up Call: The Polyfill.io Attack In June 2024, a single JavaScript injection attack compromised over 100,000 websites in the biggest JavaScript injection attack of the year. The Polyfill.io supply chain attack , where a Chinese company acquired a trusted JavaScript library and weaponized it to inject malicious code, affected major pl...

Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks. "As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers," Matthew Suozzo, Google Open Source Security Team (GOSST), said in a blog post this week. The project aims to provide build provenance for packages across the Python Package Index (Python), npm (JS/TS), and Crates.io (Rust) package registries, with plans to extend it to other open-source software development platforms. With OSS Rebuild, the idea is to leverage a combination of declarative build definitions, build instrumentation, and network monitoring capabilities to produce trustworthy security metadata, which can then be used to validate the package's origin and ensure it has not been tampered with. "Through a...

A new attack campaign has compromised more than 3,500 websites worldwide with JavaScript cryptocurrency miners, marking the return of browser-based cryptojacking attacks once popularized by the likes of CoinHive .  Although the service has since shuttered after browser makers took steps to ban miner-related apps and add-ons, researchers from the c/side said they found evidence of a stealthy miner packed within obfuscated JavaScript that assesses the computational power of a device and spawns background Web Workers to execute mining tasks in parallel without raising any alarm. More importantly, the activity has been found to leverage WebSockets to fetch mining tasks from an external server, so as to dynamically adjust the mining intensity based on the device capabilities and accordingly throttle resource consumption to maintain stealth. "This was a stealth miner, designed to avoid detection by staying below the radar of both users and security tools," security researcher ...

Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers' npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. The list of affected packages and their rogue versions, according to Socket, is listed below - eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) eslint-plugin-prettier (versions 4.2.2 and 4.2.3) synckit (version 0.11.9) @pkgr/core (version 0.2.8) napi-postinstall (version 0.3.1) got-fetch (versions 5.1.11 and 5.1.12) is (versions 3.3.1 and 5.0.0) "The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution," the software supply chain security firm said. The development comes in the aftermath of a phishing campaign that...

The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks. The packages, per Socket, have attracted more than 17,000 downloads, and incorporate a previously undocumented version of a malware loader codenamed XORIndex . The activity is an expansion of an attack wave spotted last month that involved the distribution of 35 npm packages that deployed another loader referred to as HexEval. "The Contagious Interview operation continues to follow a whack-a-mole dynamic, where defenders detect and report malicious packages, and North Korean threat actors quickly respond by uploading new variants using the same, similar, or slightly evolved playbooks," Socket researcher Kirill Boychenko said . Contagious Interview is the name assigned to a long-running campaign that seeks to en...

Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild. The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: 8.1), has been described as a type confusion flaw in the V8 JavaScript and WebAssembly engine. "Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page," according to a description of the bug on the NIST's National Vulnerability Database (NVD). Type confusion vulnerabilities can have severe consequences as they can be exploited to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes. Zero-day bugs like this are especially risky because attackers often start using them before a fix is available. In real-world attacks, these flaws can let hackers install spyware, launch drive-by downloads, or quietly run harmful code — sometimes just by getting...

Cybersecurity researchers have uncovered a fresh batch of malicious npm packages linked to the ongoing Contagious Interview operation originating from North Korea. According to Socket , the ongoing supply chain attack involves 35 malicious packages that were uploaded from 24 npm accounts. These packages have been collectively downloaded over 4,000 times. The complete list of the JavaScript libraries is below - react-plaid-sdk sumsub-node-websdk vite-plugin-next-refresh vite-plugin-purify nextjs-insight vite-plugin-svgn node-loggers react-logs reactbootstraps framer-motion-ext serverlog-dispatch mongo-errorlog next-log-patcher vite-plugin-tools pixel-percent test-topdev-logger-v1 test-topdev-logger-v3 server-log-engine logbin-nodejs vite-loader-svg struct-logger flexible-loggers beautiful-plugins chalk-config jsonpacks jsonspecific jsonsecs util-buffers blur-plugins proc-watch node-orm-mongoose prior-config use-videos lucide-node, and router-parse ...

Cybersecurity researchers from  SafeDep and Veracode detailed a number of malware-laced npm packages that are designed to execute remote code and download additional payloads. The packages in question are listed below - eslint-config-airbnb-compat (676 Downloads) ts-runtime-compat-check (1,588 Downloads) solders (983 Downloads) @mediawave/lib (386 Downloads) All the identified npm packages have since been taken down from npm, but not before they were downloaded hundreds of times from the package registry.  SafeDep's analysis of eslint-config-airbnb-compat found that the JavaScript library has ts-runtime-compat-check listed as a dependency, which, in turn, contacts an external server defined in the former package ("proxy.eslint-proxy[.]site") to retrieve and execute a Base64-encoded string. The exact nature of the payload is unknown. "It implements a multi-stage remote code execution attack using a transitive dependency to hide the malicious code,"...

Cybersecurity researchers are calling attention to a "large-scale campaign" that has been observed compromising legitimate websites with malicious JavaScript injections. According to Palo Alto Networks Unit 42, these malicious injects are obfuscated using JSFuck , which refers to an "esoteric and educational programming style" that uses only a limited set of characters to write and execute JavaScript code. The cybersecurity company has given the technique an alternate name JSFireTruck owing to the profanity involved. "Multiple websites have been identified with injected malicious JavaScript that uses JSFireTruck obfuscation, which is composed primarily of the symbols [, ], +, $, {, and }," security researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal said . "The code's obfuscation hides its true purpose, hindering analysis." Further analysis has determined that the injected code is designed to check the website referrer (...