Self-propagating npm worm steals tokens via postinstall hooks, impacting six packages and expanding supply chain attacks.

A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts.

TeamPCP has again expanded its supply chain attacks on open-source repositories by targeting Telnyx, according to security researchers. The cyber threat group recently rose to notoriety by uploading ...

TeamPCP hackers compromised the Telnyx package on the Python Package Index today, uploading malicious versions that deliver credential-stealing malware hidden inside a WAV file. Earlier today, the ...

Malicious npm packages have been identified distributing malware that steals credentials and attempts to spread across ...

Cybersecurity researchers have discovered a critical "by design" weakness in the Model Context Protocol's (MCP) architecture ...

Security companies flagged axios@1.14.1 and 0.30.4 as compromised, urging credential rotation and rollback of affected packages. Update March 31, 2026, 1:28 pm UTC: This article has been updated to ...

A widely used JavaScript package used with over a hundred million weekly downloads has been compromised in a new supply chain attack to fetch a malware payload for Windows, Linux systems and macOS ...

The government will first ensure there is sufficient supply of necessities before it introduces any economic stimulus package to deal with the impact from the ongoing crisis in the Middle East, says ...

Between April 21 and 23, 2026, three coordinated supply chain campaigns targeted npm, PyPI, and Docker Hub, aiming to steal developer and CI/CD credentials. The incidents included a trojanized ...