MAL-2026-10048: Malicious code in chai-as-thread (npm)
The npm package 'chai-as-thread' version 7.0.8 is a malicious typosquatting package that executes remote code. Upon requiring the package, it spawns a detached Node.js child process that runs a…
Read the full articleYou might also wanna read
Typosquatted npm Package Delivers Windows RAT with Encrypted C2 and Registry Persistence
A newly discovered malware campaign is targeting Windows systems through a deceptive package on the npm registry. Disguised as a legitimate
cybersecuritynews.com·15d agoPopular npm packages debug and chalk compromised with crypto-intercepting malware
The popular packages debug and chalk on npm have been compromised with malicious code
aikido.dev·10mo agoGitLab Identifies Large-Scale npm Supply Chain Attack with Destructive Malware
Malware driving attack includes "dead man's switch" that can harm user data.
AI-Generated npm Package Leaks Its Own GitHub Token, Exposing Malware Operator
Sloppy AI-generated npm infostealer leaked its own GitHub token, exposing the operator
Microsoft detects 14 malicious npm packages impersonating OpenSearch and Elasticsearch libraries
And then Microsoft busted them all
Microsoft detects 14 malicious npm packages impersonating OpenSearch and Elasticsearch libraries
And then Microsoft busted them all

TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack
On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistra

Comments
Sign in to join the conversation.
No comments yet. Be the first.