Search results for how to install package with npm | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort. "The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years," Endor Labs researchers Cris Staicu and Kiran Raj said in a Tuesday report. The coordinated campaign has so far published as many as 67,579 packages , according to SourceCodeRED security researcher Paul McCarty, who first flagged the activity. The end goal is quite unusual – It's designed to inundate the npm registry with random packages rather than focusing on data theft or other malicious behaviors. The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFood...

Cybersecurity researchers have flagged three malicious npm packages that are designed to target the Apple macOS version of Cursor, a popular artificial intelligence (AI)-powered source code editor. "Disguised as developer tools offering 'the cheapest Cursor API,' these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor's main.js file, and disable auto-updates to maintain persistence," Socket researcher Kirill Boychenko said . The packages in question are listed below - sw-cur (2,771 downloads) sw-cur1 (307 downloads), and aiide-cur (163 downloads) All three packages continue to be available for download from the npm registry. "Aiide-cur" was first published on February 14, 2025. It was uploaded by a user named "aiide." The npm library is described as a "command-line tool for configuring the macOS version of the Cursor editor." The other two packages, ...

Fixing indirect vulnerabilities is one of those complex, tedious and, quite frankly, boring tasks that no one really wants to touch. No one except for  Debricked , it seems. Sure, there are lots of ways to do it manually, but can it be done automatically with minimal risk of breaking changes? The Debricked team decided to find out.  A forest full of fragile trees So, where do you even start? Firstly, there needs to be a way to fix the vulnerability, which, for indirect dependencies, is no walk in the park. Secondly, it needs to be done in a safe way, or, without anything breaking.  You see, indirect dependencies are introduced deep down the dependency tree and it's very tricky to get to the exact version you want. As Debricked's Head of R&D once put it, " You are turning the knobs by playing around with your direct dependencies and praying to Torvalds that the correct indirect packages are resolved. When Torvalds is in your favour, you have to sacrifice some clou...

Malware isn't just trying to hide anymore—it's trying to belong. We're seeing code that talks like us, logs like us, even documents itself like a helpful teammate. Some threats now look more like developer tools than exploits. Others borrow trust from open-source platforms, or quietly build themselves out of AI-written snippets. It's not just about being malicious—it's about being believable. In this week's cybersecurity recap, we explore how today's threats are becoming more social, more automated, and far too sophisticated for yesterday's instincts to catch. ⚡ Threat of the Week Secret Blizzard Conduct ISP-Level AitM Attacks to Deploy ApolloShadow — Russian cyberspies are abusing local internet service providers' networks to target foreign embassies in Moscow and likely collect intelligence from diplomats' devices. The activity has been attributed to the Russian advanced persistent threat (APT) known as Secret Blizzard (aka Turla). It likely involves using an adversary-...

Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign. The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy companies across the world, according to Socket. "While the packages' randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure," security researcher Kush Pandya said . The packages have been found to use npm's public registry and unpkg.com's CDN to host redirect scripts that route victims to credential harvesting pages. Some aspects of the campaign were first flagged by Safety's Paul McCarty late last month. Specificall...

The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the "setup_bun.js" loader and the main payload "bun_environment.js." The company told The Hacker News that org.mvnpm:posthog-node:4.18.1 was the only Java package identified so far. "This means the PostHog project has compromised releases in both the JavaScript/npm and Java/Maven ecosystems, driven by the same Shai Hulud v2 payload," the cybersecurity company said in a Tuesday update. It's worth noting that the Maven Central package is not published by PostHog itself. Rather, the "org.mvnpm" coordinates are generated via an automated mvnpm process that rebuilds npm packages as Maven artifacts. The Maven Central said...

Every week, the cyber world reminds us that silence doesn't mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done. This week's edition looks at how attackers are changing the game — linking different flaws, working together across borders, and even turning trusted tools into weapons. From major software bugs to AI abuse and new phishing tricks, each story shows how fast the threat landscape is shifting and why security needs to move just as quickly. ⚡ Threat of the Week Dozens of Orgs Impacted by Exploitation of Oracle EBS Flaw — Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025, according to Google Threat Intelligence Group (GTIG) and Mandiant. The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashio...

Hackers aren't kicking down the door anymore. They just use the same tools we use every day — code packages, cloud accounts, email, chat, phones, and "trusted" partners — and turn them against us. One bad download can leak your keys. One weak vendor can expose many customers at once. One guest invite, one link on a phone, one bug in a common tool, and suddenly your mail, chats, repos, and servers are in play. Every story below is a reminder that your "safe" tools might be the real weak spot. ⚡ Threat of the Week Shai-Hulud Returns with More Aggression — The npm registry was targeted a second time by a self-replicating worm that went by the moniker "Sha1-Hulud: The Second Coming," affecting over 800 packages and 27,000 GitHub repositories. Like in the previous iteration, the main objective was to steal sensitive data like API keys, cloud credentials, and npm and GitHub authentication information, and facilitate deeper supply chain compromise in a worm-like fashion. Th...

Cybersecurity researchers have disclosed details of what has been described as a "sustained and targeted" spear-phishing campaign that has published over two dozen packages to the npm registry to facilitate credential theft. The activity, which involved uploading 27 npm packages from six different npm aliases, has primarily targeted sales and commercial personnel at critical infrastructure-adjacent organizations in the U.S. and Allied nations, according to Socket. "A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft," researchers Nicholas Anderson and Kirill Boychenko said .

Today, every unpatched system, leaked password, and overlooked plugin is a doorway for attackers. Supply chains stretch deep into the code we trust, and malware hides not just in shady apps — but in job offers, hardware, and cloud services we rely on every day. Hackers don't need sophisticated exploits anymore. Sometimes, your credentials and a little social engineering are enough. This week, we trace how simple oversights turn into major breaches — and the silent threats most companies still underestimate. Let's dive in. ⚡ Threat of the Week UNC5221 Exploits New Ivanti Flaw to Drop Malware — The China-nexus cyber espionage group tracked as UNC5221 exploited a now-patched flaw in Ivanti Connect Secure, CVE-2025-22457 (CVSS score: 9.0), to deliver an in-memory dropper called TRAILBLAZE, a passive backdoor codenamed BRUSHFIRE, and the SPAWN malware suite. The vulnerability was originally patched by Ivanti on February 11, 2025, indicating that the threat actors studied the patch a...

Ever wonder what happens when attackers don't break the rules—they just follow them better than we do? When systems work exactly as they're built to, but that "by design" behavior quietly opens the door to risk? This week brings stories that make you stop and rethink what's truly under control. It's not always about a broken firewall or missed patch—it's about the small choices, default settings, and shortcuts that feel harmless until they're not. The real surprise? Sometimes the threat doesn't come from outside—it's baked right into how things are set up. Dive in to see what's quietly shaping today's security challenges. ⚡ Threat of the Week FBI Warns of Scattered Spider's on Airlines — The U.S. Federal Bureau of Investigation (FBI) has warned of a new set of attacks mounted by the notorious cybercrime group Scattered Spider targeting the airline sector using sophisticated social engineering techniques to obtain initial access. Cybersecurity vendors Palo Alto Networks Unit 4...

Security, trust, and stability — once the pillars of our digital world — are now the tools attackers turn against us. From stolen accounts to fake job offers, cybercriminals keep finding new ways to exploit both system flaws and human behavior. Each new breach proves a harsh truth: in cybersecurity, feeling safe can be far more dangerous than being alert. Here's how that false sense of security was broken again this week. ⚡ Threat of the Week Newly Patched Critical Microsoft WSUS Flaw Comes Under Attack — Microsoft released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability that has since come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. According to Eye Security and Huntress, the security flaw is being weaponized to drop a .N...

Criminals don't need to be clever all the time; they just follow the easiest path in: trick users, exploit stale components, or abuse trusted systems like OAuth and package registries. If your stack or habits make any of those easy, you're already a target. This week's ThreatsDay highlights show exactly how those weak points are being exploited — from overlooked misconfigurations to sophisticated new attack chains that turn ordinary tools into powerful entry points. Lumma Stealer Stumbles After Doxxing Drama Decline in Lumma Stealer Activity After Doxxing Campaign The activity of the Lumma Stealer (aka Water Kurita) information stealer has witnessed a "sudden drop" since last months after the identities of five alleged core group members were exposed as part of what's said to be an aggressive underground exposure campaign dubbed Lumma Rats since late August 2025. The targeted individuals are affiliated with the malware's development and administ...

Cybersecurity researchers have uncovered yet another active software supply chain attack campaign targeting the npm registry with over 100 malicious packages that can steal authentication tokens, CI/CD secrets, and GitHub credentials from developers' machines. The campaign has been codenamed PhantomRaven by Koi Security. The activity is assessed to have begun in August 2025, when the first packages were uploaded to the repository. It has since ballooned to a total of 126 npm libraries, attracting more than 86,000 installs. Some of the packages have also been flagged by the DevSecOps company DCODX -  op-cli-installer (486 Downloads) unused-imports (1,350 Downloads) badgekit-api-client (483 Downloads) polyfill-corejs3 (475 Downloads) eslint-comments (936 Downloads) What makes the attack stand out is the attacker's pattern of hiding the malicious code in dependencies by pointing to a custom HTTP URL, causing npm to fetch them from an untrusted website (in this case,...

New research has discovered over 800 packages in the npm registry which have discrepancies from their registry entries, out of which 18 have been found to exploit a technique called  manifest confusion . The findings come from cybersecurity firm JFrog, which said the issue could be exploited by threat actors to trick developers into running malicious code. "It's an actual threat since developers may be tricked into downloading packages that look innocent, but whose hidden dependencies are actually malicious," security researcher Andrey Polkovnichenko told The Hacker News. Manifest confusion was  first documented  in July 2023, when security researcher Darcy Clarke found that mismatches in manifest and package metadata could be weaponized to stage software supply chain attacks. The problem stems from the fact that the npm registry does not validate whether the manifest file contained in the tarball (package.json) matches the manifest data provided to the npm server d...

Last week's cyber news in 2025 was not about one big incident. It was about many small cracks opening at the same time. Tools people trust every day behave in unexpected ways. Old flaws resurfaced. New ones were used almost immediately. A common theme ran through it all in 2025. Attackers moved faster than fixes. Access meant for work, updates, or support kept getting abused. And damage did not stop when an incident was "over" — it continued to surface months or even years later. This weekly recap brings those stories together in one place. No overload, no noise. Read on to see what shaped the threat landscape in the final stretch of 2025 and what deserves your attention now. ⚡ Threat of the Week MongoDB Vulnerability Comes Under Attack — A newly disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world. The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7)...

This week's cyber stories show how fast the online world can turn risky. Hackers are sneaking malware into movie downloads, browser add-ons, and even software updates people trust. Tech giants and governments are racing to plug new holes while arguing over privacy and control. And researchers keep uncovering just how much of our digital life is still wide open. The new Threatsday Bulletin brings it all together—big hacks, quiet exploits, bold arrests, and smart discoveries that explain where cyber threats are headed next. It's your quick, plain-spoken look at the week's biggest security moves before they become tomorrow's headlines. Maritime IoT under siege Mirai-Based Broadside Botnet Exploits TBK DVR Flaw A new Mirai botnet variant dubbed Broadside has been exploiting a critical-severity vulnerability in TBK DVR ( CVE-2024-3721 ) in attacks targeting the maritime logistics sector. "Unlike previous Mirai variants, Broadside e...

New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "unexpected behavior" in the npm command line interface (CLI) tool. npm CLI's  install  and  audit   commands  have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for developers by highlighting the flaws. But as JFrog established, the security advisories are not displayed when the packages follow certain version formats, creating a scenario where critical flaws could be introduced into their systems either directly or via the package's dependencies. Specifically, the problem arises only when the installed package version contains a hyphen (e.g., 1.2.3-a), which is included to denote a  pre-release version  of an npm module. While the project maintainers treat the discrepancy between regular npm package versions and pre...

In what's yet another instance of malicious packages creeping into public code repositories, 10 modules have been removed from the Python Package Index (PyPI) for their ability to harvest critical data points such as passwords and API tokens. The packages "install info-stealers that enable attackers to steal developer's private data and personal credentials," Israeli cybersecurity firm Check Point  said  in a Monday report. A short summary of the offending packages is below - Ascii2text , which downloads a nefarious script that gathers passwords stored in web browsers such as Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser Pyg-utils, Pymocks, and PyProto2 , which are designed to  steal users' AWS credentials Test-async and Zlibsrc , which download and execute malicious code during installation Free-net-vpn, Free-net-vpn2, and WINRPCexploit , which steal user credentials and environment variables, and Browserdiv , which are capable of coll...