Tenable Research investigated a malicious package in the npm public registry named “amber-src” that underscores the rapid ...

While the AI itself wasn’t weaponized, the technique raises concerns about AI agents with broad system access.

The malicious version of Cline's npm package — 2.3.0 — was downloaded more than 4,000 times before it was removed.

Cline CLI 2.3.0 was published with a stolen npm token, installing OpenClaw in an 8-hour attack affecting ~4,000 downloads.

In short, npm has taken an important step forward by eliminating permanent tokens and improving defaults. Until short-lived, identity-bound credentials become the norm — and MFA bypass is no longer ...

The popular npm package "is" was infected with cross-platform malware, around the same time that linting utility packages used with the prettier code formatter were infected with Windows-only malware.

Someone compromised open source AI coding assistant Cline CLI's npm package earlier this week in an odd supply chain attack ...

The npm registry now includes Socket security analysis links directly on package pages to help developers assess supply chain risks.

Ten malicious packages mimicking legitimate software projects in the npm registry download an information-stealing component that collects sensitive data from Windows, Linux, and macOS systems. The ...

A 'logical flaw' in the npm registry enabled authors of malicious packages to quietly add anyone and any number of users as 'maintainers' to their packages in an attempt to boost the trust in their ...