Search results for patch package npm | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered two malicious packages on the npm registry that are designed to infect another locally installed package, underscoring the continued evolution of software supply chain attacks targeting the open-source ecosystem. The packages in question are ethers-provider2 and ethers-providerz , with the former downloaded 73 times to date since it was published on March 15, 2025. The second package, likely removed by the malware author themselves, did not attract any downloads. "They were simple downloaders whose malicious payload was cleverly hidden," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. "The interesting part lay in their second stage, which would 'patch' the legitimate npm package ethers , installed locally, with a new file containing the malicious payload. That patched file would ultimately serve a reverse shell." The development marks a new escalation of threat actors...

Cybersecurity researchers have flagged three malicious npm packages that are designed to target the Apple macOS version of Cursor, a popular artificial intelligence (AI)-powered source code editor. "Disguised as developer tools offering 'the cheapest Cursor API,' these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor's main.js file, and disable auto-updates to maintain persistence," Socket researcher Kirill Boychenko said . The packages in question are listed below - sw-cur (2,771 downloads) sw-cur1 (307 downloads), and aiide-cur (163 downloads) All three packages continue to be available for download from the npm registry. "Aiide-cur" was first published on February 14, 2025. It was uploaded by a user named "aiide." The npm library is described as a "command-line tool for configuring the macOS version of the Cursor editor." The other two packages, ...

Cybersecurity researchers have discovered a malicious package in the Python Package Index (PyPI) repository that introduces malicious behavior through a dependency that allows it to establish persistence and achieve code execution. The package, named termncolor , realizes its nefarious functionality through a dependency package called colorinal by means of a multi-stage malware operation, Zscaler ThreatLabz said . While termncolor was downloaded 355 times, colorinal attracted 529 downloads. Both libraries are no longer available on PyPI. "This attack could leverage DLL side-loading to facilitate decryption, establish persistence, and conduct command-and-control (C2) communication, ending in remote code execution," according to researchers Manisha Ramcharan Prajapati and Satyam Singh. Once installed and executed, termncolor is designed to import colorinal, which, in turn, loads a rogue DLL that's responsible for decrypting and running the next-stage payload. Specifica...

Cybersecurity researchers have flagged a malicious npm package that was generated using artificial intelligence (AI) and concealed a cryptocurrency wallet drainer. The package, @kodane/patch-manager, claims to offer "advanced license validation and registry optimization utilities for high-performance Node.js applications." It was uploaded to npm by a user named "Kodane" on July 28, 2025. The package is no longer available for download from the registry, but not before it attracted over 1,500 downloads. Software supply chain security company Safety, which discovered the library, said the malicious features are advertised directly in the source code, calling it an "enhanced stealth wallet drainer." Specifically, the behavior is triggered as part of a postinstall script that drops its payload within hidden directories across Windows, Linux, and macOS systems, and then proceeds to connect to a command-and-control (C2) server at "sweeper-monitor-produ...

Several malicious packages have been uncovered across the npm, Python, and Ruby package repositories that drain funds from cryptocurrency wallets, erase entire codebases after installation, and exfiltrate Telegram API tokens, once again demonstrating the variety of supply chain threats lurking in open-source ecosystems. The findings come from multiple reports published by Checkmarx, ReversingLabs, Safety, and Socket in recent weeks. The list of identified packages across these platforms are listed below - Socket noted that the two malicious gems were published by a threat actor under the aliases Bùi nam, buidanhnam, and si_mobile merely days after Vietnam ordered a nationwide ban on the Telegram messaging app late last month for allegedly not cooperating with the government to tackle illicit activities related to fraud, drug trafficking, and terrorism. "These gems silently exfiltrate all data sent to the Telegram API by redirecting traffic through a command-and-control (C2...

Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server. Sonatype said it has discovered 14 different npm packages so far: @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core, @dynamic-form-components/mui, @dynamic-form-components/shineout, @expue/app, @fixedwidthtable/fixedwidthtable, @soc-fe/use, @spgy/eslint-plugin-spgy-fe, @virtualsearchtable/virtualsearchtable, and shineouts. "These packages [...] attempt to impersonate JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools," the software supply chain security firm  said . "But, upon installation, multiple versions of the packages were seen running obfuscated code to collect and siphon sensitive files from the target machine." Along with Kubernetes config and SSH ke...

Fixing indirect vulnerabilities is one of those complex, tedious and, quite frankly, boring tasks that no one really wants to touch. No one except for  Debricked , it seems. Sure, there are lots of ways to do it manually, but can it be done automatically with minimal risk of breaking changes? The Debricked team decided to find out.  A forest full of fragile trees So, where do you even start? Firstly, there needs to be a way to fix the vulnerability, which, for indirect dependencies, is no walk in the park. Secondly, it needs to be done in a safe way, or, without anything breaking.  You see, indirect dependencies are introduced deep down the dependency tree and it's very tricky to get to the exact version you want. As Debricked's Head of R&D once put it, " You are turning the knobs by playing around with your direct dependencies and praying to Torvalds that the correct indirect packages are resolved. When Torvalds is in your favour, you have to sacrifice some clou...

Cybersecurity researchers have disclosed a critical vulnerability in the Open VSX Registry ("open-vsx[.]org") that, if successfully exploited, could have enabled attackers to take control of the entire Visual Studio Code extensions marketplace, posing a severe supply chain risk. "This vulnerability provides attackers full control over the entire extensions marketplace, and in turn, full control over millions of developer machines," Koi Security researcher Oren Yomtov said . "By exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX." Following responsible disclosure on May 4, 2025, multiple rounds of fixes were proposed by the maintainers, before a final patch was deployed on June 25. Open VSX Registry is an open-source project and alternative to the Visual Studio Marketplace. It's maintained by the Eclipse Foundation. Several code editors like Cursor, Windsurf, Google Cloud Shell Editor, Gitpod, an...

Ever wonder what happens when attackers don't break the rules—they just follow them better than we do? When systems work exactly as they're built to, but that "by design" behavior quietly opens the door to risk? This week brings stories that make you stop and rethink what's truly under control. It's not always about a broken firewall or missed patch—it's about the small choices, default settings, and shortcuts that feel harmless until they're not. The real surprise? Sometimes the threat doesn't come from outside—it's baked right into how things are set up. Dive in to see what's quietly shaping today's security challenges. ⚡ Threat of the Week FBI Warns of Scattered Spider's on Airlines — The U.S. Federal Bureau of Investigation (FBI) has warned of a new set of attacks mounted by the notorious cybercrime group Scattered Spider targeting the airline sector using sophisticated social engineering techniques to obtain initial access. Cybersecurity vendors Palo Alto Networks Unit 4...

Welcome to this week's Threatsday Bulletin —your Thursday check-in on the latest twists and turns in cybersecurity and hacking. The digital threat landscape never stands still. One week it's a critical zero-day, the next it's a wave of phishing lures or a state-backed disinformation push. Each headline is a reminder that the rules keep changing and that defenders—whether you're protecting a global enterprise or your own personal data—need to keep moving just as fast. In this edition we unpack fresh exploits, high-profile arrests, and the newest tactics cybercriminals are testing right now. Grab a coffee, take five minutes, and get the key insights that help you stay a step ahead of the next breach. Firmware fights back SonicWall Releases SMA 100 Firmware Update to Remove Rootkit SonicWall has released a firmware update that it said will help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices. "S...