事件概述2026 年 3 月 31 日，著名云安全平台 StepSecurity 监测到，在 JavaScript 生态系统中最受欢迎的 HTTP 客户端库 Axios（每周下载量超 3 亿次）遭遇了严重的供应链攻击。攻击者劫持了 Axios 核心维护者（jasonsaayman）的 npm 账户，并在 npm 官方仓库发布了两个被污染的恶意版本：axios@1.14.1 和 axios@0.30 ...

The node-ipc developer attempt to protest Russia's attack on Ukraine has the unintended consequence of casting more doubt in software supply chain integrity. The developer of a popular JavaScript ...

A threat actor has used 36 malicious NPM packages posing as Strapi plugins to distribute malware targeting Redis, Docker, and ...

An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. As ...

Russia's invasion of Ukraine has spilt over into developer-space, with a well-known npm maintainer adding "protestware" as a dependency to a very popular package. Security vendor Snyk is tracking what ...

A routine scan of the NPM open source code repository in April turned up several packages using a JavaScript obfuscator to hide their true function. After further investigation, analysts with ...

Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with content, and download exclusive resources. Ludi Akue discusses how the tech sector’s ...