Infosecurity Magazine

Npm Malware Uses Invisible Dependencies to Infect Dozens of Packages

The ongoing ‘PhantomRaven’ malicious campaign has infected 126 npm packages to date, representing 86,000 downloads ...
The Register on MSN

Invisible npm malware pulls a disappearing act – then nicks your tokens

PhantomRaven slipped over a hundred credential-stealing packages into npm A new supply chain attack dubbed PhantomRaven has flooded the npm registry with malicious packages that steal credentials, ...
Bleeping Computer

Malicious NPM libraries install ransomware, password stealer

Malicious NPM packages pretending to be Roblox libraries are delivering ransomware and password-stealing trojans on unsuspecting users. After the malicious NPM libraries are added to a project and ...
CSO Online

Malicious packages in npm evade dependency detection through invisible URL links: Report

Researchers outline how the PhantomRaven campaign exploits hole in npm to enable software supply chain attacks.
Bleeping Computer

Popular NPM library hijacked to install password-stealers, miners

Hackers hijacked the popular UA-Parser-JS NPM library, with millions of downloads a week, to infect Linux and Windows devices with cryptominers and password-stealing trojans in a supply-chain attack.