Tag: npm package
4 articles

Compromised jscrambler NPM Package Drops Rust Infostealer
A malicious version of the jscrambler NPM package, 8.14.0, was published on July 11, 2026, and could silently infect your system with a Rust-based infostealer just by installing it, no extra steps required. Merely running the install command was enough to trigger the payload on vulnerable systems.

Claude Code Attack Persists Through Token Rotation Flaw
A surprising lack of resistance to a proof-of-concept attack has exposed a vulnerability in Claude Code, allowing a five-step attack chain that can turn routine token rotation into a continuous compromise. This exploit requires just one malicious npm package and the ability to run code on a developer's machine, making it a concerning threat.

Cline Kanban Flaw Exposes AI Coding Agents to Website Hijacking
A critical vulnerability in Cline Kanban's WebSocket endpoints lets hackers hijack websites visited by developers, silently interacting with local AI agents - and it's a flaw that requires zero phishing, malware, or social engineering. This severe flaw, scoring 9.7 on the CVSS scale, puts AI coding agents at risk of website hijacking.

Google Fixes Critical Gemini CLI Flaw Enabling Remote Code Execution
Google patched a critical flaw in Gemini CLI that allowed hackers to inject malicious code and take control of host systems, thanks to a report from Novee Security. The vulnerability, scoring a perfect 10.0 on the CVSS scale, has been fixed in recent updates to the @google/gemini-cli and google-github-actions/run-gemini-cli packages.