BattleRemote3157@reddit (OP)
well! its only 50% or only a subset of what we analyze i share which are really important. There are more than that we detect and analyze small small malicious packages
BattleRemote3157
Someone hid a full RAT inside a fake npm package and exfiltrated victim data to HuggingFace
Posted by BattleRemote3157@reddit | programming | View on Reddit | 102 comments
Someone hid a full RAT inside a fake npm package and exfiltrated victim data to HuggingFace
Posted by BattleRemote3157@reddit | programming | View on Reddit | 102 comments
BattleRemote3157@reddit (OP)
ok yes it is Remote Access Trojan.
Someone hid a full RAT inside a fake npm package and exfiltrated victim data to HuggingFace
Posted by BattleRemote3157@reddit | programming | View on Reddit | 102 comments
BattleRemote3157@reddit (OP)
yes obvious
314 npm packages just got compromised, 271 @antv, echarts-for-react, size-sensor, timeago.js
Posted by BattleRemote3157@reddit | programming | View on Reddit | 186 comments
BattleRemote3157@reddit (OP)
its better to install safely atleast [https://github.com/safedep/pmg](https://github.com/safedep/pmg)
314 npm packages just got compromised, 271 @antv, echarts-for-react, size-sensor, timeago.js
Posted by BattleRemote3157@reddit | programming | View on Reddit | 186 comments
BattleRemote3157@reddit (OP)
we don't get a break too, our usual mornings just go in analyzing and updating the community🥱
314 npm packages just got compromised, 271 @antv, echarts-for-react, size-sensor, timeago.js
Posted by BattleRemote3157@reddit | programming | View on Reddit | 186 comments
BattleRemote3157@reddit (OP)
yeah.
Mass npm Supply Chain Attack Hits TanStack, Mistral AI, and 170+ Packages
Posted by BattleRemote3157@reddit | programming | View on Reddit | 125 comments
BattleRemote3157@reddit (OP)
update:
TanStack Router got hit via GitHub Actions cache poisoning.
attacker opened a PR, poisoned the shared pnpm cache through `pull_request_target`, force-pushed the branch clean and waited. and hours later the release pipeline restored that cache and the payload ran, GitHub OAuth token stolen, malicious packages published to npm
Mass npm Supply Chain Attack Hits TanStack, Mistral AI, and 170+ Packages
Posted by BattleRemote3157@reddit | programming | View on Reddit | 125 comments
BattleRemote3157@reddit (OP)
you should have some more safer guardrail. you can use pmg [https://github.com/safedep/pmg](https://github.com/safedep/pmg) and top of it add dependency cooldown
Someone is actively publishing malicious packages targeting the Strapi plugin ecosystem right now
Posted by BattleRemote3157@reddit | programming | View on Reddit | 36 comments
BattleRemote3157@reddit (OP)
more by the way
[https://www.npmjs.com/\~tikeqemif26](https://www.npmjs.com/~tikeqemif26) , [https://www.npmjs.com/\~umar\_bektembiev1](https://www.npmjs.com/~umar_bektembiev1)
axios 1.14.1 and 0.30.4 on npm are compromised - dependency injection via stolen maintainer account
Posted by BattleRemote3157@reddit | programming | View on Reddit | 85 comments
BattleRemote3157@reddit (OP)
its have been now removed from npm registry. Do ensure you not have installed earlier though.
checkout [https://github.com/safedep/pmg](https://github.com/safedep/pmg)
TeamPCP strikes again - telnyx 4.87.1 and 4.87.2 on PyPI are malicious
Posted by No_Plan_3442@reddit | programming | View on Reddit | 63 comments
BattleRemote3157@reddit
exactly, they got lucky and have plenty of credentials
TeamPCP strikes again - telnyx 4.87.1 and 4.87.2 on PyPI are malicious
Posted by No_Plan_3442@reddit | programming | View on Reddit | 63 comments
BattleRemote3157@reddit
TeamPCP is having a field day.
Trivy. litellm. Now telnyx.