MAL-2026-10055: Malicious code in chain-chai-async (npm)
The npm package chain-chai-async version 1.3.5 impersonates the legitimate pino logging library by copying its source files and exporting a similarly named middleware. When the middleware is invoked…
Read the full articleYou might also wanna read
AI-Generated npm Package Leaks Its Own GitHub Token, Exposing Malware Operator
Sloppy AI-generated npm infostealer leaked its own GitHub token, exposing the operator
GitLab Identifies Large-Scale npm Supply Chain Attack with Destructive Malware
Malware driving attack includes "dead man's switch" that can harm user data.
Popular npm packages debug and chalk compromised with crypto-intercepting malware
The popular packages debug and chalk on npm have been compromised with malicious code
aikido.dev·10mo agoSecurity Alert: Malicious Nx Packages Published to npm Containing Credential-Stealing Code
## Summary Malicious versions of the [`nx` package]( as well as some supporting plugin packages, were published to npm, containing code that
Malicious npm package "Codex" stole developer credentials for a month before detection
The npm package had an active GitHub repository and about 29,000 weekly downloads while providing a remote web UI for OpenAI Codex. For abou
Attacker publishes 14 malicious npm packages impersonating OpenSearch and Elasticsearch libraries
A single npm user published 14 malicious packages impersonating OpenSearch/Elasticsearch libraries to steal AWS, Vault, and CI/CD secrets.

Comments
Sign in to join the conversation.
No comments yet. Be the first.