Skip to main content

Tag: npm package

4 articles

Developer workstation with laptop and terminal in a shared office space with cityscape background.

Compromised jscrambler NPM Package Drops Rust Infostealer

A malicious version of the jscrambler NPM package, 8.14.0, was published on July 11, 2026, and could silently infect your system with a Rust-based infostealer just by installing it, no extra steps required. Merely running the install command was enough to trigger the payload on vulnerable systems.

Analyst 207
Developer workstation with laptop and office supplies in a bright, minimalist room.

Claude Code Attack Persists Through Token Rotation Flaw

A surprising lack of resistance to a proof-of-concept attack has exposed a vulnerability in Claude Code, allowing a five-step attack chain that can turn routine token rotation into a continuous compromise. This exploit requires just one malicious npm package and the ability to run code on a developer's machine, making it a concerning threat.

Analyst 207
Cluttered developer workstation with laptop and monitor in shared office space.

Cline Kanban Flaw Exposes AI Coding Agents to Website Hijacking

A critical vulnerability in Cline Kanban's WebSocket endpoints lets hackers hijack websites visited by developers, silently interacting with local AI agents - and it's a flaw that requires zero phishing, malware, or social engineering. This severe flaw, scoring 9.7 on the CVSS scale, puts AI coding agents at risk of website hijacking.

Analyst 207
Sharp-focus laptop screen on a modern desk with blurred background.

Google Fixes Critical Gemini CLI Flaw Enabling Remote Code Execution

Google patched a critical flaw in Gemini CLI that allowed hackers to inject malicious code and take control of host systems, thanks to a report from Novee Security. The vulnerability, scoring a perfect 10.0 on the CVSS scale, has been fixed in recent updates to the @google/gemini-cli and google-github-actions/run-gemini-cli packages.

Analyst 207