Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

aikido

Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm

Apr 23, 2026 By Ilyas Makari In Aikido
Version 2026.4.0 of the widely-used @bitwarden/cli npm package (78,000 weekly downloads) has been identified as malicious. The package contains a sophisticated multi-stage credential theft worm that explicitly names itself "Shai-Hulud: The Third Coming", a direct callback to previous Shai-Hulud supply chain campaigns, and targets developer credentials including SSH keys, cloud secrets, and even MCP configuration files.
Read Post
cycognito

Emerging Threat: Axios npm Supply Chain Attack Drops Remote Access Trojan (RAT)

Mar 31, 2026 By Igal Zeifman In CyCognito
On March 31, 2026, two malicious versions of axios were published to npm, , using credentials stolen from a lead axios maintainer. The attacker injected a hidden dependency into both releases that drops a remote access trojan (RAT) on any machine that ran npm install during the exposure window. No CVE identifier has been assigned at the time of writing. The malicious dependency executes automatically at install time via a postinstall hook, without any action by the developer.
Read Post
Snyk

Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT

Mar 30, 2026 By Liran Tal In Snyk
On March 31, 2026, two malicious versions of axios, the enormously popular JavaScript HTTP client with over 100 million weekly downloads, were briefly published to npm via a compromised maintainer account. The packages contained a hidden dependency that deployed a cross-platform remote access trojan (RAT) to any machine that ran npm install (or equivalent in other package managers like Bun) during a two-hour window. The malicious versions (1.14.1 and 0.30.4) were removed from npm by 03:29 UTC.
Read Post

CVE-2025-55131: Node.js Memory Exposure Risk

Jan 23, 2026 By Indusface In Indusface
Node.js patched a serious vulnerability (CVE-2025-5513) that could expose uninitialized memory and leak secrets like tokens or application data due to a race condition in the buffer allocation logic. This vulnerability affects the vm module with timeouts and is part of a broader coordinated security update across all active Node.js release lines.
View Video
indusface

Critical Node.js Vulnerabilities Expose Uninitialized Memory (CVE-2025-55131)

Jan 16, 2026 By Aayush Vishnoi In Indusface
CVE-2025-55131 is a high-severity buffer allocation race condition vulnerability in Node.js that can lead to uninitialized memory exposure when using the vm module with execution timeouts. This vulnerability is part of a coordinated Node.js security update addressing eight vulnerabilities across all active release lines.
Read Post
veracode

54 New NPM Packages Found Beaconing to C2 Server in Ethereum Smart Contract

Jan 14, 2026 By Veracode Threat Research In Veracode
Jan 13, 2026 Vibe Coding and GenAI Security: Balancing Speed with Risk Read More Natalie Tischler Jan 8, 2026 Top 10 Challenges in DevSecOps Adoption Read More Natalie Tischler Jan 6, 2026 Looking Ahead at 2026 with Gartner: How Smarter Teams and Tools Are Making Application Security a Breeze Read More Joe Ariganello.
Read Post
seal security

Shai-Hulud: The Second Coming Hits npm Users

Nov 26, 2025 By Itamar Sher In Seal Security
Once again, the npm supply chain has been compromised, putting developers relying on these vital open source components at risk. On November 24th, a sophisticated attack that borrows techniques from the Shai-Hulud malware used in the npm hijacking this past September was discovered. This is not an isolated incident. It’s a continuation of an existing campaign that is now abusing CI/CD pipelines, and GitHub automation to spread faster and steal more secrets than before.
Read Post
jfrog

Shai-Hulud npm supply chain attack - new compromised packages detected

Nov 24, 2025 By Andrey Polkovnichenko In JFrog
(Nov 24, 2025) JFrog continues to track, provide research and document another wave of the Shai-Hulud Software Supply Chain Attack which was originally reported by the JFrog Security Research team on 16-Sep-2025. Following the initial campaign, threat actors have returned with more advanced tactics, compromising an additional 796 new malicious packages across leading public registries.
Read Post
Top 10 Node.js Development Companies to Hire Skilled Developers

Top 10 Node.js Development Companies to Hire Skilled Developers

Nov 21, 2025 By SecuritySenses In SecuritySenses
Slow releases, sluggish web apps, and clunky user experiences can stall growth, frustrate customers, and make promising digital products lose momentum. Many businesses struggle with legacy stacks that are hard to scale, costly to maintain, and too slow to keep pace with modern feature demands. Node.js changes this equation by enabling fast, event-driven, and scalable backends that handle high traffic and real-time interactions with ease. Its vast ecosystem, reusable components, and JavaScript end-to-end approach help teams ship features faster, reduce context switching, and improve overall performance.
Read Post
veracode

Malicious NPM Package Found Targeting GitHub By Typosquatting on GitHub Action Packages

Nov 10, 2025 By Veracode Threat Research In Veracode
The package states it is for the GitHub Actions Toolkit, which has a legitimate npm package @actions/artifact. Therefore this malware package is a clear typosquat with the swapping of the letters “ti” for “it”. We took a look at the “harness” binary as indicated in version 4.0.13.
Read Post

Copyright © 2026 OpsMatters™. All rights reserved.