Topic: open-source ecosystem threats

Popular NPM 'is' Package Infects 2.8M Weekly Users with Malware

A widely-used NPM package called 'is' was compromised in a supply chain attack, distributing malware-infected versions (3.3.1 to 5.0.0) with a backdoor enabling remote code execution. Attackers used phishing via a fake npmjs.com domain to hijack maintainer accounts, pushing malicious updates to m...