A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts.

BleepingComputer

A new self-propagating supply chain attack has been discovered in the npm ecosystem, targeting packages from Namastex Labs. The malware, found in 16 compromised packages, steals developer credentials including npm publish tokens, API keys, SSH keys, cloud service credentials, CI/CD secrets, and cryptocurrency wallet data from browsers. Once it finds npm publish tokens on a compromised system, it injects itself into every package that token can publish and republishes them with an incremented version number, enabling recursive worm-like spread. It also targets PyPI if Python credentials are found, making it a multi-ecosystem threat. Developers using the listed package versions should remove them immediately, rotate all secrets, and audit CI/CD pipelines for indicators of compromise.

New npm supply-chain attack self-spreads to steal auth tokens

This is basically a worm for the package ecosystem—once it grabs a publish token, it turns every package into a new infection vector.
The cross-ecosystem angle (npm + PyPI) makes it especially dangerous. If you’ve touched any affected packages, assume compromise: rotate everything and audit your pipelines immediately.

Now running <code>install [package]</code> turns you into a probable victim

First axios and now this. The JS/TS ecosystem just keeps getting hit.

So many reasons why I stay away from npm and nodejs.
I still trying to understand why people still use dangerous tools. Why people don’t change?