Search results for security news package | Breaking Cybersecurity News | The Hacker News

Hey readers, guess what? The Hacker News (THN) is about to complete its 6 years as a leading Information Security Channel – attracting over 9 Million readers worldwide – and a trusted source for Hacking, Cyber Security and Infosec News for the enthusiasts, technologists & nerds. In the special occasion of this year's Anniversary, The Hacker News is excited to announce the launch of its THN Deals Store ! THN Deals Store aims to give anything you need to take your potential to the next level, and that too, at amazingly good prices and incredible discounts. In fact, we even have a bunch of freebies and giveaways for our readers. THN Deals Store is packed with great deals on everything from Online Cyber Security and Hacking Courses to gear and gadgets , downloadable Security Products, privacy services, IT Certification Preparation Courses , programming courses and even drones. So, if you are searching for a great deal for anything you need, Welcome to the THN Deals St...

A software package available from the official NPM repository has been revealed to be actually a front for a tool that's designed to steal saved passwords from the Chrome web browser. The package in question, named " nodejs_net_server " and downloaded over 1,283 times since February 2019, was last updated seven months ago (version 1.1.2), with its corresponding repository leading to non-existent locations hosted on GitHub.  "It isn't malicious by itself, but it can be when put into the malicious use context," ReversingLabs researcher Karlo Zanki  said  in an analysis shared with The Hacker News. "For instance, this package uses it to perform malicious password stealing and credential exfiltration. Even though this off-the-shelf password recovery tool comes with a graphical user interface, malware authors like to use it as it can also be run from the command line." While the first version of the package was put out just to test the process of p...

Can you believe that it's been 6 years since we first launched The Hacker News? Yes, The Hacker News is celebrating its sixth anniversary today on 1st November. We started this site on this same day back in 2010 with the purpose of providing a dedicated platform to deliver latest infosec news and threat updates for Hackers, Security researchers, technologists, and nerds. Times flies when you are having fun! The Hacker News has become one of the World's popular and trusted Hacking News channel that went from ~100,000 readers to more than 10 million monthly readers — all because of THN readers high enthusiasm. In this short span of time, The Hacker News has achieved a series of milestone: The Hacker News Facebook page is going to hit 1.5 Million Followers, More than 1.6 Million followers on Google Plus+ , Over 200,000 Email Subscribers , And around 307,000 Twitter Followers. What's more? The Twitter Account of The Hacker News became officially verified (...

Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort. "The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years," Endor Labs researchers Cris Staicu and Kiran Raj said in a Tuesday report. The coordinated campaign has so far published as many as 67,579 packages , according to SourceCodeRED security researcher Paul McCarty, who first flagged the activity. The end goal is quite unusual – It's designed to inundate the npm registry with random packages rather than focusing on data theft or other malicious behaviors. The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFood...

Cybersecurity researchers from  SafeDep and Veracode detailed a number of malware-laced npm packages that are designed to execute remote code and download additional payloads. The packages in question are listed below - eslint-config-airbnb-compat (676 Downloads) ts-runtime-compat-check (1,588 Downloads) solders (983 Downloads) @mediawave/lib (386 Downloads) All the identified npm packages have since been taken down from npm, but not before they were downloaded hundreds of times from the package registry.  SafeDep's analysis of eslint-config-airbnb-compat found that the JavaScript library has ts-runtime-compat-check listed as a dependency, which, in turn, contacts an external server defined in the former package ("proxy.eslint-proxy[.]site") to retrieve and execute a Base64-encoded string. The exact nature of the payload is unknown. "It implements a multi-stage remote code execution attack using a transitive dependency to hide the malicious code,"...

A now-patched critical security flaw impacting Google Cloud Platform (GCP) Composer could have been exploited to achieve remote code execution on cloud servers by means of a supply chain attack technique called dependency confusion. The vulnerability has been codenamed CloudImposer by Tenable Research. "The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool," security researcher Liv Matan said in a report shared with The Hacker News. Dependency confusion (aka substitution attack), which was first documented by security researcher Alex Birsan in February 2021, refers to a type of software supply chain compromise in which a package manager is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository. So, a threat actor could stage a large-scale supply chain attack by publ...

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) that has racked up thousands of downloads for over three years while stealthily exfiltrating developers' Amazon Web Services (AWS) credentials. The package in question is " fabrice ," which typosquats a popular Python library known as " fabric ," which is designed to execute shell commands remotely over SSH.  While the legitimate package has over 202 million downloads, its malicious counterpart has been downloaded more than 37,100 times to date. As of writing, "fabrice" is still available for download from PyPI. It was first published in March 2021. The typosquatting package is designed to exploit the trust associated with "fabric," incorporating "payloads that steal credentials, create backdoors, and execute platform-specific scripts," security firm Socket said . "Fabrice" is designed to carry out its malicious actions ...

Cybersecurity researchers have found that it's possible for threat actors to exploit a well-known utility called command-not-found to recommend their own rogue packages and compromise systems running Ubuntu operating system. "While 'command-not-found' serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages," cloud security firm Aqua said in a report shared with The Hacker News. Installed by default on Ubuntu systems, command-not-found  suggests  packages to install in interactive bash sessions when attempting to run commands that are not available. The suggestions include both the Advanced Packaging Tool ( APT ) and  snap packages . While the tool uses an internal database ("/var/lib/command-not-found/commands.db") to suggest APT packages, it relies on the " advise-snap " comman...

A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations. It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. These susceptible packages have more than 100,000 downloads or have been active for over six months. "This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they're removed from PyPI's index by the original owner," JFrog security researchers Andrey Polkovnychenko and Brian Moussalli said in a report shared with The Hacker News. At its core, the attack hinges on the fact that Python packages published in the PyPI repository may get removed, making available the names of those deleted projects ...

Cybersecurity researchers have uncovered yet another active software supply chain attack campaign targeting the npm registry with over 100 malicious packages that can steal authentication tokens, CI/CD secrets, and GitHub credentials from developers' machines. The campaign has been codenamed PhantomRaven by Koi Security. The activity is assessed to have begun in August 2025, when the first packages were uploaded to the repository. It has since ballooned to a total of 126 npm libraries, attracting more than 86,000 installs. Some of the packages have also been flagged by the DevSecOps company DCODX -  op-cli-installer (486 Downloads) unused-imports (1,350 Downloads) badgekit-api-client (483 Downloads) polyfill-corejs3 (475 Downloads) eslint-comments (936 Downloads) What makes the attack stand out is the attacker's pattern of hiding the malicious code in dependencies by pointing to a custom HTTP URL, causing npm to fetch them from an untrusted website (in this case,...

Cybersecurity researchers have warned of a new malicious Python package that has been discovered in the Python Package Index (PyPI) repository to facilitate cryptocurrency theft as part of a broader campaign. The package in question is pytoileur , which has been downloaded 316 times as of writing. Interestingly, the package author, who goes by the name PhilipsPY, has uploaded a new version of the package (1.0.2) with identical functionality after a previous version (1.0.1) was yanked by PyPI maintainers on May 28, 2024. According to an analysis released by Sonatype, the malicious code is embedded in the package's setup.py script, allowing it to execute a Base64-encoded payload that's responsible for retrieving a Windows binary from an external server. "The retrieved binary, 'Runtime.exe,' is then run by leveraging Windows PowerShell and VBScript commands on the system," security researcher Ax Sharma said . Once installed, the binary establishes persiste...

Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that impersonates a software development kit (SDK) for SentinelOne, a major cybersecurity company, as part of a campaign dubbed  SentinelSneak . The package, named  SentinelOne  and now taken down, is said to have been published between December 8 and 11, 2022, with nearly two dozen versions pushed in quick succession over a period of two days. It claims to offer an easier method to access the  company's APIs , but harbors a malicious backdoor that's engineered to amass sensitive information from development systems, including access credentials, SSH keys, and configuration data. What's more, the threat actor has also been observed releasing two more packages with similar naming variations –  SentinelOne-sdk  and  SentinelOneSDK  – underscoring the  continued threats  lurking in open source repositories. "The SentinelOne ...

Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers. "The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages," supply chain security company Socket said . The end goal of the campaign is to search developer machines for secrets using TruffleHog's credential scanner and transmit them to an external server under the attacker's control. The attack is capable of targeting both Windows and Linux systems. The following packages have been identified as impacted by the incident - angulartics2@14.1.2 @ctrl/deluge@7.2.2 @ctrl/golang-template@1.4.3 @ctrl/magnet-link@4.0.4 @ctrl/ngx-codemirror@7.0.2 @ctrl/ngx-csv@6.0.2 @ctrl/ngx-emoji-mart@...

Threat hunters have discovered a set of seven packages on the Python Package Index (PyPI) repository that are designed to steal  BIP39 mnemonic phrases  used for recovering private keys of a cryptocurrency wallet. The software supply chain attack campaign has been codenamed BIPClip by ReversingLabs. The packages were collectively downloaded 7,451 times prior to them being removed from PyPI. The list of packages is as follows - jsBIP39-decrypt  (126 downloads) bip39-mnemonic-decrypt  (689 downloads) mnemonic_to_address  (771 downloads) erc20-scanner  (343 downloads) public-address-generator  (1,005 downloads) hashdecrypt  (4,292 downloads) hashdecrypts  (225 downloads) BIPClip, which is aimed at developers working on projects related to generating and securing cryptocurrency wallets, is said to be active since at least December 4, 2022, when hashdecrypt was first published to the registry. "This is just the latest software supply ...

A security vulnerability has been discovered in the R programming language that could be exploited by a threat actor to create a malicious RDS (R Data Serialization) file such that it results in code execution when loaded and referenced. The flaw, assigned the CVE identifier CVE-2024-27322 (CVSS score: 8.8), "involves the use of promise objects and lazy evaluation in R," AI application security company HiddenLayer said in a report shared with The Hacker News. RDS,  like pickle in Python , is a format used to serialize and save the state of data structures or objects in R, an open-source programming language used in statistical computing, data visualization, and machine learning. This process of serialization – serialize() or saveRDS() – and deserialization – unserialize() and readRDS() – is also leveraged when saving and loading R packages. The root cause behind CVE-2024-27322 lies in the fact that it could lead to arbitrary code execution when deseriali...

Cybersecurity researchers have disclosed a malicious package uploaded to the Python Package Index (PyPI) repository that's designed to reroute trading orders placed on the MEXC cryptocurrency exchange to a malicious server and steal tokens. The package, ccxt-mexc-futures, purports to be an extension built on top of a popular Python library named ccxt (short for CryptoCurrency eXchange Trading), which is used to connect and trade with several cryptocurrency exchanges and facilitate payment processing services. The malicious package is no longer available on PyPI, but statistics on pepy.tech shows that it has been downloaded at least 1,065 times . "The authors of the malicious ccxt-mexc-futures package, claim in its README file that it extends the CCXT package to support 'futures' trade on MEXC," JFrog researcher Guy Korolevski said in a report shared with The Hacker News. However, a deeper examination of the library has revealed that it specifically overr...

Cybersecurity researchers have discovered a malicious package named "os-info-checker-es6" that disguises itself as an operating system information utility to stealthily drop a next-stage payload onto compromised systems. "This campaign employs clever Unicode-based steganography to hide its initial malicious code and utilizes a Google Calendar event short link as a dynamic dropper for its final payload," Veracode said in a r eport shared with The Hacker News. "Os-info-checker-es6" was first published in the npm registry on March 19, 2025, by a user named "kim9123." It has been downloaded 2,001 times as of writing. The same user has also uploaded another npm package called "skip-tot" that lists "os-info-checker-es6" as a dependency. The package has been downloaded 94 times . While the initial five versions exhibited no signs of data exfiltration or malicious behavior, a subsequent iteration uploaded on May 7, 2025, has ...

Active flaws in the PowerShell Gallery could be weaponized by threat actors to pull off supply chain attacks against the registry's users. "These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package," Aqua security researchers Mor Weinberger, Yakir Kadkoda, and Ilay Goldman said in a report shared with The Hacker News. Maintained by Microsoft,  PowerShell Gallery  is a  central repository  for sharing and acquiring PowerShell code, including PowerShell modules, scripts, and Desired State Configuration (DSC) resources. The registry boasts of 11,829 unique packages and 244,615 packages in total. The issues identified by the cloud security firm have to do with the service's lax policy surrounding package names, lacking protections against typosquatting attacks, as a result enabling attackers to upload malicious PowerShell modules that appear genuine to unsuspecting u...