npm Security | Breaking Cybersecurity News | The Hacker News

Bitwarden CLI has been compromised as part of the newly discovered and ongoing Checkmarx supply chain campaign , according to new findings from JFrog and Socket. "The affected package version appears to be @bitwarden/cli@2026.4.0 , and the malicious code was published in 'bw1.js,' a file included in the package contents," the application security company said . "The attack appears to have leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign." In a post on X, JFrog said the rogue version of the package "steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits." Specifically, the malicious code is executed by means of a preinstall hook, resulting in the theft of local, CI, GitHub, and cloud secrets. The data is exfiltrated to the domain "a...

Roblox developers are the target of a persistent campaign that seeks to compromise systems through bogus npm packages, once again underscoring how threat actors continue to exploit the trust in the open-source ecosystem to deliver malware. "By mimicking the popular 'noblox.js' library, attackers have published dozens of packages designed to steal sensitive data and compromise systems," Checkmarx researcher Yehuda Gelb said in a technical report. Roblox is an online game platform and game creation system with nearly 80 million daily active users , and thus makes for an attractive target for threat actors. It was launched in September 2006 for Windows, before debuting in other platforms, including iOS, Android, Xbox One, Meta Quest, and PlayStation 4. Details about the activity were first documented by ReversingLabs in August 2023 as part of a campaign that delivered a stealer called Luna Token Grabber, which it said was a "replay of an attack uncovered two ...