OUR BLOG
“IndonesianFoods” spam campaign publishes more than 86,000 malicious NPM packages
I've identified an NPM spam campaign that has published over 86,000 malicious packages to the NPM registry, affecting at least eleven NPM users. This attack focuses on creating new packages rather...
FIRST CTI Conference Talk: Integrating Software Supply Chain Intel into Enterprise CTI
I travelled to Berlin in April to give a talk at the FIRST CTI conference. This was my first time at a FIRST event and I loved it. The conference recorded all the talks, so you can see my talk, in...
EXPOSED! Thousands of public software packages expose sensitive data
Over the last two years, I've seen a concerning trend emerging in the JavaScript ecosystem: developers inadvertently (or sometimes intentionally) publishing NPM packages that expose sensitive data...
Why SCA sucks (at detecting malicious packages)
On Saturday, July 19, 2025, security researchers detected a new software supply chain attack. This attack targeted the maintainers of several popular NPM packages that collectively receive over 100...
How do malicious software packages get identified and taken down?
How do packages get identified as malicious in the first place? I think a lot of people don't understand how malicious packages are detected, so let me take a few minutes to explain it. The reality...
NPM package targets web3 smart contracts with new malware
The software supply chain attacks on crypto and web3 continue unabated. Today I identified a new malicious NPM package that is delivering a sophisticated multi-stage malware payload. It's...
NPM package targeting crypto wallets uses new language to evade detection
I've identified an NPM package deploying a new malware strain targeting the Exodus Wallet application. While this attack lacked finesse, it's interesting because it was written in a new language to...
3 myths about npm based threats
Over the years, I've talked with a lot of developers and engineering teams—first during my DevSecOps consulting work, then while building SecureStack. Now, as I focus full-time on software supply...
Malicious web3-parser NPM package targets crypto & web3 projects
I've identified a malicious NPM package named "web3-parser" that targets web3 and crypto developers. When the library is called from within a Javascript app, it exfils all data that you asked it to...
NPM package targeting Prettier ecosystem drops malware
Our research has identified a package masquerading as the popular NPM package "Prettier" library. This package was published in the NPM registry in September 2024 and was taken offline in mid...