npm

North Korea Behind Polyfill.io? Supply Chain Poisoning Just Got a State Sponsor

John Z Black Mar 13, 2026

Supply Chain Security #supply-chain #north-korea #polyfill #npm #simple-git #javascript #cve

Forensic research links the Polyfill.io supply chain attack to a North Korean operative. The same week, a CVSS 9.8 RCE hits the simple-git npm library. Your dependency graph is your attack surface.

Developer Supply Chains Under Coordinated Assault: 88 Malicious npm Packages and a CVSS 9.8 in simple-git

John Z Black Mar 12, 2026

Developer Security #npm #supply-chain #developer-security #phantomraven #simple-git #ci-cd #aws #devsecops

PhantomRaven dropped 88 malicious npm packages targeting AWS credentials and CI secrets. A critical RCE in simple-git threatens millions of dev environments. Your developer toolchain is a target.