JavaScript - Security Ticks

After Shai-Hulud, GitHub tightens npm publishing security

2FA, account protection, Don't miss, GitHub, Hot stuff, JavaScript, News, Node.js, supply chain / SecurityTicks

After Shai-Hulud, GitHub tightens npm publishing security 2025-09-23 at 19:09 By Zeljka Zorz Attackers are constantly finding ways to take over accounts and push malicious packages to the npm registry, the (GitHub-operated) online repository for JavaScript and Node.js packages. But in this month alone, we witnessed the compromise of popular code packages after a successful […]

React to this headline:

After Shai-Hulud, GitHub tightens npm publishing security Read More »

Self-replicating worm hits 180+ npm packages in (largely) automated supply chain attack

Aikido Security, Don't miss, Hot stuff, JavaScript, News, Node.js, open source, ReversingLabs, StepSecurity, supply chain attacks, Wiz, worms / SecurityTicks

Self-replicating worm hits 180+ npm packages in (largely) automated supply chain attack 2025-09-17 at 01:18 By Zeljka Zorz A potentially monumental supply chain attack is underway, thanks to a self-replicating worm-like payload that has been compromising packages published on the npm Registry. The worm has been dubbed “Shai-hulud” as it steals credentials from victims who

React to this headline:

Self-replicating worm hits 180+ npm packages in (largely) automated supply chain attack Read More »

Fake npm 2FA reset email led to compromise of popular code packages

account hijacking, Acumen Cyber, Aikido Security, Don't miss, GitHub, Hot stuff, JavaScript, News, Node.js, phishing, ReversingLabs, Sonatype, supply chain compromise / SecurityTicks

Fake npm 2FA reset email led to compromise of popular code packages 2025-09-09 at 16:51 By Zeljka Zorz Malicious versions of at least 18 widely used npm packages were uploaded to the npm Registry on Monday, following the compromise of their maintainer’s account. “The packages were updated to contain a piece of code that would

React to this headline:

Fake npm 2FA reset email led to compromise of popular code packages Read More »

Threat Actors Use SVG Smuggling for Browser-Native Redirection

JavaScript, Malware & Threats, redirect, SVG / SecurityTicks

Threat Actors Use SVG Smuggling for Browser-Native Redirection 2025-07-15 at 17:51 By Ionut Arghire Obfuscated JavaScript code is embedded within SVG files for browser-native redirection to malicious pages. The post Threat Actors Use SVG Smuggling for Browser-Native Redirection appeared first on SecurityWeek. This article is an excerpt from SecurityWeek View Original Source React to this

React to this headline:

Threat Actors Use SVG Smuggling for Browser-Native Redirection Read More »

CoinMarketCap, Cointelegraph compromised to serve pop-ups to drain crypto wallets

Blockaid, C/side, Cryptocurrency, Don't miss, Hot stuff, JavaScript, News, supply chain attacks / SecurityTicks

CoinMarketCap, Cointelegraph compromised to serve pop-ups to drain crypto wallets 2025-06-23 at 16:38 By Zeljka Zorz The CoinMarketCap and CoinTelegraph websites have been compromised over the weekend to serve clever phishing pop-ups to visitors, asking them to verify/connect their crypto wallets. The CoinMarketCap compromise CoinMarketCap (aka CMC) is a website popular with crypto investors as

React to this headline:

CoinMarketCap, Cointelegraph compromised to serve pop-ups to drain crypto wallets Read More »

Package hallucination: LLMs may deliver malicious code to careless devs

Artificial Intelligence, Don't miss, Hot stuff, JavaScript, LLMs, Malware, News, programming, Python, software development / SecurityTicks

Package hallucination: LLMs may deliver malicious code to careless devs 2025-04-14 at 15:46 By Zeljka Zorz LLMs’ tendency to “hallucinate” code packages that don’t exist could become the basis for a new type of supply chain attack dubbed “slopsquatting” (courtesy of Seth Larson, Security Developer-in-Residence at the Python Software Foundation). A known occurrence Many software

React to this headline:

Package hallucination: LLMs may deliver malicious code to careless devs Read More »

PRevent: Open-source tool to detect malicious code in pull requests

Apiiro, code analysis, Don't miss, GitHub, Hot stuff, Java, JavaScript, Kotlin, News, open source, PHP, programming, Python, Ruby, software development, threat detection / SecurityTicks

PRevent: Open-source tool to detect malicious code in pull requests 2025-02-20 at 16:52 By Zeljka Zorz Apiiro security researchers have released open source tools that can help organizations detect malicious code as part of their software development lifecycle: PRevent (a scanner for pull requests), and a malicious code detection ruleset for Semgrep and Opengrep static

React to this headline:

PRevent: Open-source tool to detect malicious code in pull requests Read More »

Solana’s popular web3.js library backdoored in supply chain compromise

account hijacking, Cryptocurrency, cybercrime, Don't miss, Hot stuff, JavaScript, News, supply chain compromise, wall / SecurityTicks

Solana’s popular web3.js library backdoored in supply chain compromise 2024-12-04 at 18:03 By Zeljka Zorz A software supply chain attack has lead to the publication of malicious versions of Solana’s web3.js library on the npm registry. Just like the recent Lottie Player supply chain compromise, this attack was reportedly made possible due to compromised (phished)

React to this headline:

Lottie Player supply chain compromise: Sites, apps showing crypto scam pop-ups

Cryptocurrency, cybercrime, Don't miss, Hot stuff, JavaScript, News, supply chain compromise / SecurityTicks

Lottie Player supply chain compromise: Sites, apps showing crypto scam pop-ups 2024-10-31 at 14:38 By Zeljka Zorz A supply chain compromise involving Lottie Player, a widely used web component for playing site and app animations, has made popular decentralized finance apps show pop-ups urging users to connect their wallets, TradingView has reported. The pop-up (Source:

React to this headline:

Lottie Player supply chain compromise: Sites, apps showing crypto scam pop-ups Read More »