This morning, we were alerted to a large-scale attack against npm. This appears to the be work of the same threat actors behind the Nx attack on August 27th 2025. This was originally published by Socket and StepSecurity who noted 40 packages had been comrpomised, since then an additional 147 packages have been infected with malware including packages from CrowdStrike.
The scale, scope and impact of this attack is significant. The attackers are using the same playbook in large parts as the original attack, but have stepped up their game. They have turned it into a full worm, which does these things automatically:
- Steal secrets and publish them to GitHub publicly
- Run trufflehog and query Cloud metadata endpoints to gather secrets
- Attempt to create a new GitHub action with a data exiltration mechanism through webhook[.]site
- Iterate the repositories on GitHub a user has access to, and make them public
Since our initial alert this morning we’ve confirmed the following additional behaviours and important details. For those that don’t know, Shai Hulud is the name for the worm in the Dune franchise. A clear indication of the intent of the attackers.
A_A@lemmy.world 46 minutes ago
i asked chat_bot : what's an "npm package" ?
.
a.i. answer :
In the context of software development and web technology, an npm package is a collection of reusable code, such as a library or tool, that can be easily installed and managed using the Node Package Manager (npm) for use in Node.js projects. Examples of popular npm packages include: - Lodash, a utility library for functional programming
- React, a JavaScript library for building user interfaces
- Express, a web framework for Node.js
- jQuery, a JavaScript library for DOM manipulation
A_A@lemmy.world 32 minutes ago
What is ''web development'' ?
Web development refers to the process of building and maintaining websites, web applications, and mobile applications that run on the internet. It involves a range of tasks, including: * Designing the user interface and user experience (UI/UX) * Writing code in programming languages such as HTML, CSS, JavaScript, and server-side languages like PHP, Ruby, and Python * Creating and managing databases to store and retrieve data * Ensuring website security, scalability, and performance Web development can be broken down into several areas, including: * Front-end development: focuses on client-side development, creating the user interface and user experience using HTML, CSS, and JavaScript. * Back-end development: focuses on server-side development, creating the server-side logic, database integration, and API connectivity using languages like PHP, Ruby, and Python. * Full-stack development: involves both front-end and back-end development, requiring a broad range of skills. In the context of the npm packages I mentioned earlier (Lodash, React, Express, and jQuery), web development involves using these packages to build and enhance web applications, such as: * Creating interactive web pages with React and jQuery * Building web servers and APIs with Express * Using Lodash to simplify JavaScript development These packages are commonly used in web development to streamline the development process, improve code quality, and enhance the user experience.