Search results for npm remove package command | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have flagged three malicious npm packages that are designed to target the Apple macOS version of Cursor, a popular artificial intelligence (AI)-powered source code editor. "Disguised as developer tools offering 'the cheapest Cursor API,' these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor's main.js file, and disable auto-updates to maintain persistence," Socket researcher Kirill Boychenko said . The packages in question are listed below - sw-cur (2,771 downloads) sw-cur1 (307 downloads), and aiide-cur (163 downloads) All three packages continue to be available for download from the npm registry. "Aiide-cur" was first published on February 14, 2025. It was uploaded by a user named "aiide." The npm library is described as a "command-line tool for configuring the macOS version of the Cursor editor." The other two packages, ...

Cybersecurity researchers have discovered a malicious package in the Python Package Index (PyPI) repository that introduces malicious behavior through a dependency that allows it to establish persistence and achieve code execution. The package, named termncolor , realizes its nefarious functionality through a dependency package called colorinal by means of a multi-stage malware operation, Zscaler ThreatLabz said . While termncolor was downloaded 355 times, colorinal attracted 529 downloads. Both libraries are no longer available on PyPI. "This attack could leverage DLL side-loading to facilitate decryption, establish persistence, and conduct command-and-control (C2) communication, ending in remote code execution," according to researchers Manisha Ramcharan Prajapati and Satyam Singh. Once installed and executed, termncolor is designed to import colorinal, which, in turn, loads a rogue DLL that's responsible for decrypting and running the next-stage payload. Specifica...

The maintainers of the nx build system have alerted users to a supply chain attack that allowed attackers to publish malicious versions of the popular npm package and other auxiliary plugins with data-gathering capabilities. "Malicious versions of the nx package, as well as some supporting plugin packages, were published to npm, containing code that scans the file system, collects credentials, and posts them to GitHub as a repo under the user's accounts," the maintainers said in an advisory published Wednesday. Nx is an open-source, technology-agnostic build platform that's designed to manage codebases. It's advertised as an "AI-first build platform that connects everything from your editor to CI [continuous integration]." The npm package has over 3.5 million weekly downloads. The list of affected packages and versions is below. These versions have since been removed from the npm registry. The compromise of the nx package took place on August 26, 20...

Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem. One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package that's been forked on GitHub to distribute a rogue update. "In both cases the attacker appears to have taken over packages that have not been updated in a while," the SANS Internet Storm Center (ISC)  said , one of whose volunteer incident handlers, Yee Ching, analyzed the ctx package. It's worth noting that ctx, prior to the latest release on May 21, 2022, was last published to PyPi on December 19, 2014. On the other hand, phpass hasn't received an update since it was uploaded to Packagist on August 31, 2012. Both the libraries have been removed from PyPi and GitHub . At its core, the modifications are designed to exfiltrate AWS credentials t...

Multiple security vendors are sounding the alarm about a second wave of attacks targeting the npm registry in a manner that's reminiscent of the Shai-Hulud attack . The new supply chain campaign, dubbed Sha1-Hulud , has compromised hundreds of npm packages, according to reports from Aikido , HelixGuard , JFrog , Koi Security , ReversingLabs , SafeDep , Socket , Step Security , and Wiz . The trojanized npm packages were uploaded to npm between November 21 and 23, 2025. The attack has impacted popular packages from Zapier, ENS Domains, PostHog, and Postman, among others. "The campaign introduces a new variant that executes malicious code during the preinstall phase, significantly increasing potential exposure in build and runtime environments," Wiz researchers Hila Ramati, Merav Bar, Gal Benmocha, and Gili Tikochinski said. Like the Shai-Hulud attack that came to light in September 2025, the latest activity also publishes stolen secrets to GitHub, this time with the rep...

Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded. Secure Annex researcher John Tuckner, who flagged the extension " susvsex ," said it does not attempt to hide its malicious functionality. The extension was uploaded on November 5, 2025, by a user named "suspublisher18" along with the description "Just testing" and the email address "donotsupport@example[.]com." "Automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch," reads the description of the extension. As of November 6, Microsoft has stepped in to remove it from the official VS Code Extension Marketplace.  According to details shared by "suspublisher18," the extension is designed to automatically activate itself on any even...

The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the "setup_bun.js" loader and the main payload "bun_environment.js." The company told The Hacker News that org.mvnpm:posthog-node:4.18.1 was the only Java package identified so far. "This means the PostHog project has compromised releases in both the JavaScript/npm and Java/Maven ecosystems, driven by the same Shai Hulud v2 payload," the cybersecurity company said in a Tuesday update. It's worth noting that the Maven Central package is not published by PostHog itself. Rather, the "org.mvnpm" coordinates are generated via an automated mvnpm process that rebuilds npm packages as Maven artifacts. The Maven Central said...

Cybersecurity researchers have discovered vulnerable code in legacy Python packages that could potentially pave the way for a supply chain compromise on the Python Package Index (PyPI) via a domain takeover attack. Software supply chain security company ReversingLabs said it found the "vulnerability" in bootstrap files provided by a build and deployment automation tool named "zc.buildout." "The scripts automate the process of downloading, building, and installing the required libraries and tools," security researcher Vladimir Pezo said . "Specifically, when the bootstrap script is executed, it fetches and executes an installation script for the package Distribute from python-distribute[.]org – a legacy domain that is now available for sale in the premium price range while being managed to drive ad revenue." The PyPI packages that include a bootstrap script that accesses the domain in question include tornado, pypiserver, slapos.core, roman, x...

Cybersecurity researchers have discovered a malicious package on the npm package registry that masquerades as a library for detecting vulnerabilities in Ethereum smart contracts but, in reality, drops an open-source remote access trojan called Quasar RAT onto developer systems. The heavily obfuscated package, named ethereumvulncontracthandler , was published to npm on December 18, 2024, by a user named "solidit-dev-416." As of writing, it continues to be available for download. It has been downloaded 66 times to date. "Upon installation, it retrieves a malicious script from a remote server, executing it silently to deploy the RAT on Windows systems," Socket security researcher Kirill Boychenko said in an analysis published last month. The malicious code embedded into ethereumvulncontracthandler is obscured with multiple layers of obfuscation, leveraging techniques like Base64- and XOR-encoding, as well as minification to resist analysis and detection efforts. ...

Four different rogue packages in the Python Package Index ( PyPI ) have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorized_keys file. The packages in question are  aptx ,  bingchilling2 ,  httops , and  tkint3rs , all of which were collectively downloaded about 450 times before they were taken down. While aptx is an attempt to impersonate Qualcomm's  highly popular audio codec  of the same name, httops and tkint3rs are typosquats of https and tkinter, respectively. "Most of these packages had well thought out names, to purposely confuse people," security researcher and journalist Ax Sharma  said . An analysis of the malicious code injected in the setup script reveals the presence of an obfuscated  Meterpreter payload  that's disguised as " pip ," a legitimate package installer for Python, and which can be leveraged to gain shell access to the...

In what's the latest instance of a software supply chain attack, unknown threat actors managed to compromise Toptal's GitHub organization account and leveraged that access to publish 10 malicious packages to the npm registry. The packages contained code to exfiltrate GitHub authentication tokens and destroy victim systems, Socket said in a report published last week. In addition, 73 repositories associated with the organization were made public. The list of affected packages is below - @toptal/picasso-tailwind @toptal/picasso-charts @toptal/picasso-shared @toptal/picasso-provider @toptal/picasso-select @toptal/picasso-quote @toptal/picasso-forms @xene/core @toptal/picasso-utils @toptal/picasso-typograph All the Node.js libraries were embedded with identical payloads in their package.json files, attracting a total of about 5,000 downloads before they were removed from the repository. The nefarious code has been found to specifically target the preinstall and p...

RubyGems, the official package manager for the Ruby programming language, has become the latest platform to mandate multi-factor authentication (MFA) for popular package maintainers, following the footsteps of  NPM  and  PyPI . To that end, owners of gems with over 180 million total downloads are mandated to turn on MFA effective August 15, 2022. "Users in this category who do not have MFA enabled on the UI and API or UI and gem sign-in level will not be able to edit their profile on the web, perform privileged actions (i.e. push and yank gems, or add and remove gem owners), or sign in on the command line until they configure MFA," RubyGems  noted . What's more, gem maintainers who cross 165 million cumulative downloads are expected to receive reminders to turn on MFA until the download count touches the 180 million thresholds, at which point it will be made mandatory. The development is seen as an attempt by package ecosystems to  bolster the software sup...

Welcome to this week's Threatsday Bulletin —your Thursday check-in on the latest twists and turns in cybersecurity and hacking. The digital threat landscape never stands still. One week it's a critical zero-day, the next it's a wave of phishing lures or a state-backed disinformation push. Each headline is a reminder that the rules keep changing and that defenders—whether you're protecting a global enterprise or your own personal data—need to keep moving just as fast. In this edition we unpack fresh exploits, high-profile arrests, and the newest tactics cybercriminals are testing right now. Grab a coffee, take five minutes, and get the key insights that help you stay a step ahead of the next breach. Firmware fights back SonicWall Releases SMA 100 Firmware Update to Remove Rootkit SonicWall has released a firmware update that it said will help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices. "S...