NPM ecosystem hit with two new supply chain compromises
Summary
Attackers compromised multiple npm packages (software libraries that Node.js developers use) by exploiting stolen developer credentials and a vulnerability in GitHub Actions (automation tools that run code when developers submit changes). The malware steals sensitive information like passwords, SSH keys (authentication credentials), and cloud credentials from developer machines.
Solution / Mitigation
Security researchers advise organizations to completely rebuild from clean images any developer machines that have installed a poisoned package and to rotate all npm tokens, source control access, cloud credentials, CI/CD secrets, SSH keys, signing keys, and browser sessions. The AsyncAPI project had a proposed fix to the GitHub Actions vulnerability since May 17, but it had not yet been merged into the main branch at the time of the attack.
Classification
Original source: https://www.csoonline.com/article/4197499/npm-ecosystem-hit-with-two-new-supply-chain-compromises.html
First tracked: July 15, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 95%