Skip to main content

Tag: javascript

66 articles

BeaverTail and OtterCookie: Stunning Critical Threat

BeaverTail and OtterCookie: Stunning Critical Threat

Cisco Talos warns a North Korean group is fusing BeaverTail’s credential-theft with OtterCookie’s browser persistence into single, stealthier JavaScript malware that’s harder to spot — defenders should start hunting for blended behaviors and tighten basics like MFA, patching, and anomaly detection now.

Analyst 207
self-replicating worm: Shocking, Devastating NPM Breach

self-replicating worm: Shocking, Devastating NPM Breach

Imagine your everyday npm install quietly stealing your keys — researchers traced a self‑replicating worm to at least 187 NPM packages that exfiltrates developer credentials to GitHub each time an infected package is installed. This outbreak shows how fragile the software supply chain is and why immediate credential rotation, strict dependency hygiene, and better package vetting are essential.

Analyst 207
JavaScript packages Risky: Exclusive Crypto-Theft Alert

JavaScript packages Risky: Exclusive Crypto-Theft Alert

Eighteen popular JavaScript packages — downloaded billions of times a week — were briefly compromised after a maintainer fell for a phishing email, with code added to steal crypto keys before it was quickly removed. The scare is a wake-up call: tighten maintainer access, adopt signing and provenance, and treat dependencies like critical third-party software.

Analyst 207
copy-paste attacks: Dangerous, Must-Have Fixes

copy-paste attacks: Dangerous, Must-Have Fixes

When a site tells you “paste this into your console” it may seem like helpful tech support, but ClickFix attacks are a fast‑growing social‑engineering scam that trick users into running scripts that steal tokens, clipboard data, or install persistent browser malware. Learn why low technical barriers, defenses that can be bypassed by user interaction, and high‑value browser tokens make copy‑paste attacks especially dangerous — and what can be done to stop them.

Analyst 207
unmonitored JavaScript: Must-Have Fixes for Secure Holidays

unmonitored JavaScript: Must-Have Fixes for Secure Holidays

This holiday season, tiny unmonitored JavaScript snippets are letting attackers skim cards and siphon credentials right from checkout pages while WAFs and IDS stay blind. Retailers need client‑side monitoring, script integrity checks, and tighter third‑party controls now — or risk thousands of compromised customers and shattered trust.

Analyst 207
malicious npm packages: Stunning Critical Threat Revealed

malicious npm packages: Stunning Critical Threat Revealed

Researchers uncovered Beamglea — 175 malicious npm packages downloaded about 26,000 times — that quietly hosted credential‑harvesting phishing campaigns against 135+ organizations, a stark reminder that the convenience of open-source packages can become a gateway for large‑scale theft.

Analyst 207
WordPress themes and plugins: Risky Must-Have Fix

WordPress themes and plugins: Risky Must-Have Fix

A routine verification prompt can hide a dangerous trap: attackers are hijacking WordPress themes and plugins to inject stealthy JavaScript that redirects visitors to convincing phishing pages. Keep themes and plugins updated, use strong admin controls and a WAF, and vet all extensions to stop these silent, high-impact compromises before they spread.

Analyst 207
QR-code steganography: Exclusive Dangerous Threat

QR-code steganography: Exclusive Dangerous Threat

A malicious npm package called Fezbox has been hiding stolen browser credentials inside seemingly innocuous QR images, turning routine builds into quiet data leaks. Treat every dependency with suspicion—pin versions, scan for suspicious runtime behavior, and rotate tokens—to defend against clever supply‑chain tricks like this.

Analyst 207
npm registry Must-Have Fixes Make It Safer

npm registry Must-Have Fixes Make It Safer

A recent wave of phishing and malware-laced npm packages has pushed GitHub to tighten registry security—introducing mandatory 2FA for popular maintainers, trusted publishing rules, and sweeping takedowns—to stop attackers from slipping malicious updates into countless JavaScript projects. These changes aim to make the ecosystem safer without losing the openness that powers modern development.

Analyst 207
secret-stealing worm: Devastating npm threat Revealed

secret-stealing worm: Devastating npm threat Revealed

A fast‑spreading secret‑stealing worm nicknamed Shai‑Hulud is prowling npm, siphoning hundreds of credentials from developer machines and CI pipelines and turning routine installs into supply‑chain attacks. Act now: rotate exposed tokens, harden CI, and vet dependencies to stop further spread.

Analyst 207
self-replicating worm: Stunning Risk to Dev Supply Chains

self-replicating worm: Stunning Risk to Dev Supply Chains

A self-replicating worm has infected nearly 200 NPM packages, stealing developer tokens and publishing them to public GitHub repos so each install can expose even more credentials. If you use open-source dependencies, now’s the time to audit builds, rotate keys, and lock down your developer workflows before the next propagation wave hits.

Analyst 207
malicious bundlejs: Stunning Devastating npm Alert

malicious bundlejs: Stunning Devastating npm Alert

Over 40 npm packages were quietly republished with an injected bundle.js that steals credentials, turning trusted modules into stealthy supply‑chain lures. Lock down maintainer accounts, enable MFA and artifact signing, and scan for unexpected postinstall scripts to stop this kind of attack.

Analyst 207
browser-based attacks: Critical Must-Have Defenses

browser-based attacks: Critical Must-Have Defenses

We’ve hardened email — it’s time to treat browsers as the frontline: discover the six browser-based attacks every security team must prioritize now and the practical defenses to keep users, credentials, and networks safe.

Analyst 207
malicious npm code: Critical Risk, Must-Have Defenses

malicious npm code: Critical Risk, Must-Have Defenses

Think supply chain attacks are theoretical? Wiz found malicious npm code in about 10% of cloud environments — proof a single tainted dependency can ripple across services. Treat dependencies like security controls: use SBOMs, provenance checks, and runtime defenses to keep builds safe without slowing teams down.

Analyst 207
npm packages Must-Have Defense Against Risky Attacks

npm packages Must-Have Defense Against Risky Attacks

Attackers briefly pushed trojanized npm releases that spread fast through the cloud, mined only pennies, and left security teams scrambling to contain and remediate. It’s a wake‑up call: package convenience comes with real supply‑chain risk, so tighten controls, pin dependencies, and treat dependencies as first‑class security assets.

Analyst 207
supply chain attack: Stunning Near-Miss, Risky Lessons

supply chain attack: Stunning Near-Miss, Risky Lessons

A fast, coordinated open‑source response helped avert what could have been a massive npm supply‑chain breach, but the near miss raises urgent questions for developers, maintainers and policymakers about dependency hygiene, registry controls and long‑term resilience.

Analyst 207
Axios user agent Dangerous Surge: Must-Have Defense

Axios user agent Dangerous Surge: Must-Have Defense

A routine Axios user‑agent has been weaponized — ReliaQuest found a 241% surge in phishing that spoofs the header to evade filters and increase clicks. Security teams need to stop trusting user‑agent strings alone and adopt layered defenses before attackers scale this trick further.

Analyst 207
crypto phishing Shocking Supply-Chain Nightmare

crypto phishing Shocking Supply-Chain Nightmare

One phishing click that reset a maintainer’s 2FA let attackers slip backdoors into at least 18 popular npm packages — including debug and chalk — turning trusted libraries into supply-chain landmines. It’s a wake-up call: human error can ripple through the entire ecosystem, so stronger authentication, multi-person publishing, and tighter dependency hygiene can’t wait.

Analyst 207
malicious npm package: Risky Crypto-Theft Exclusive Alert

malicious npm package: Risky Crypto-Theft Exclusive Alert

A malicious npm package posing as the popular nodemailer email library slipped into projects with one line of dependency and carried code designed to siphon cryptocurrency—showing how a single careless install can turn a routine dependency into a financial threat. Audit your dependencies, pin versions, and use supply‑chain tools—convenience shouldn’t cost you your wallet.

Analyst 207
developer AI assistants Risky: Stunning Supply-Chain Threat

developer AI assistants Risky: Stunning Supply-Chain Threat

A newly discovered supply‑chain attack on the Nx npm package used AI‑enabled malware to siphon developer secrets and crypto, showing how trusted code helpers can be turned into attack vectors. Treat AI suggestions as untrusted—use package signing, strict dependency pinning, least‑privilege environments, and thorough scans to keep your toolchain safe.

Analyst 207
supply chain attacks: Risky npm compromise – Must-Have alert

supply chain attacks: Risky npm compromise – Must-Have alert

When a trusted npm package—eslint-config-prettier—was hijacked to deliver the Scavenger RAT, it turned the open-source supply chain into an attack highway. Developers and teams must treat dependencies as potential threats: pin versions, enable 2FA, rotate secrets, and hunt for compromises before convenience becomes a vulnerability.

Analyst 207
3,500 Websites Compromised for Secret Crypto Mining Attack

3,500 Websites Compromised for Secret Crypto Mining Attack

In a startling turn of events, over 3,500 websites have fallen victim to a cryptojacking resurgence, hijacking users computing power without consent and raising urgent questions about cybersecurity and ethical responsibility. As we navigate this murky digital landscape, its crucial to understand the implications for our rights as online citizens.

Analyst 207
cryptojacking websites: Must-Have Guide to Best Defenses

cryptojacking websites: Must-Have Guide to Best Defenses

Imagine visiting a harmless site and unknowingly lending your device’s power to hidden crypto miners — over 3,500 legitimate webpages were recently found doing just that. Stay alert: update your browser, use trusted blockers, and check for unexplained slowdowns to protect your performance, privacy, and battery life.

Analyst 207
npm package security: Must-Have Guide to Risky Breaches

npm package security: Must-Have Guide to Risky Breaches

A targeted phishing attack that slipped malicious code into five npm packages shows how easily supply chains can be weaponized. Treat publish tokens like private keys—enable 2FA, rotate credentials, and demand package signing and provenance to stop the next breach.

Analyst 207