npm

Administrative Betrayal: The Bitwarden CLI Supply Chain Hijack

John Z Black Apr 27, 2026

Threat Intelligence #supply-chain #npm #bitwarden #developer-security #malware

A malicious npm package impersonating the Bitwarden CLI installed its own runtime to steal secrets. When security tools are the attack vector, the whole CI/CD pipeline becomes a weapon.

The 48-Hour Secrets Sprint: How Three Registries Were Swept in One Weekend

John Z Black Apr 23, 2026

Threat Intelligence #supply-chain #npm #pypi #teampcp #xinference #canisterworm #checkmarx-kics #secrets-theft #devsecops

A coordinated 48-hour sprint hit npm, PyPI, and Docker Hub, targeting developer secrets at scale. From infected AI libraries to a trojanized security scanner, the supply chain is moving faster than your detection.

North Korea Backdoored Axios for Three Hours. That Was Enough.

John Z Black Apr 2, 2026

Threat Intelligence #npm #supply-chain #north-korea #axios #dprk #waveshaper #unc1069

DPRK hackers hijacked the Axios npm package, deploying a self-erasing backdoor across 100 million weekly downloads. Three hours was all they needed.

Anthropic Accidentally Put Claude Code's Source on npm. Again.

John Z Black Mar 31, 2026

AI Security #anthropic #claude-code #npm #source-map #supply-chain #ai-security

Axios Was Backdoored to Install a RAT. And It Left No Traces.

John Z Black Mar 31, 2026

Threat Intelligence #npm #supply-chain #axios #rat #malware #javascript #maintainer-compromise

This Malware Hides Its Command Server in the Blockchain, and Borrows Google Calendar Too

John Z Black Mar 27, 2026

Threat Intelligence #malware #blockchain #solana #developer-security #supply-chain #glassworm #npm #c2

GlassWorm targets developers through compromised npm, PyPI, and GitHub packages. Its C2 address is hidden in a Solana blockchain memo. You can't take down a blockchain transaction.

The npm Ghost: That Install Log Looked Normal Because It Was Built to Fool You

John Z Black Mar 25, 2026

Threat Intelligence #npm #supply-chain #developer-security #reversinglabs #credential-theft #malware

Seven malicious npm packages have been stealing sudo passwords and crypto wallet data from developer machines since February. The trick: they generate fake terminal output so convincing that developers don't look twice.

CanisterWorm: How TeamPCP Hijacked Your Security Scanners and Built an Untakeable Botnet

John Z Black Mar 24, 2026

Threat Intelligence #supply-chain #teampcp #canisterworm #kubernetes #ci/cd #npm #trivy #kics #wiper

TeamPCP compromised Trivy and KICS CI/CD scanner tags, spread CanisterWorm to 47 npm packages, and deployed a Kubernetes wiper targeting Iranian timezones -- all controlled via blockchain C2 that can't be taken down.

North Korea Behind Polyfill.io? Supply Chain Poisoning Just Got a State Sponsor

John Z Black Mar 13, 2026

Supply Chain Security #supply-chain #north-korea #polyfill #npm #simple-git #javascript #cve

Forensic research links the Polyfill.io supply chain attack to a North Korean operative. The same week, a CVSS 9.8 RCE hits the simple-git npm library. Your dependency graph is your attack surface.

Developer Supply Chains Under Coordinated Assault: 88 Malicious npm Packages and a CVSS 9.8 in simple-git

John Z Black Mar 12, 2026

Developer Security #npm #supply-chain #developer-security #phantomraven #simple-git #ci-cd #aws #devsecops

PhantomRaven dropped 88 malicious npm packages targeting AWS credentials and CI secrets. A critical RCE in simple-git threatens millions of dev environments. Your developer toolchain is a target.