事件概述2026 年 3 月 31 日，著名云安全平台 StepSecurity 监测到，在 JavaScript 生态系统中最受欢迎的 HTTP 客户端库 Axios（每周下载量超 3 亿次）遭遇了严重的供应链攻击。攻击者劫持了 Axios 核心维护者（jasonsaayman）的 npm 账户，并在 npm 官方仓库发布了两个被污染的恶意版本：axios@1.14.1 和 axios@0.30 ...

朝鲜这个国家，在大多数人的认知里应该是相当封闭落后的。但他们的网络攻击能力，一直被严重低估。从 2014 年的索尼影业攻击，到 2017 年的 WannaCry 勒索病毒，再到这次对 npm 生态的精准打击，朝鲜黑客的技术水平和作战纪律一点也不「落后」。

An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. As ...

The node-ipc developer attempt to protest Russia's attack on Ukraine has the unintended consequence of casting more doubt in software supply chain integrity. The developer of a popular JavaScript ...

A threat actor has used 36 malicious NPM packages posing as Strapi plugins to distribute malware targeting Redis, Docker, and ...

Russia's invasion of Ukraine has spilt over into developer-space, with a well-known npm maintainer adding "protestware" as a dependency to a very popular package. Security vendor Snyk is tracking what ...

A routine scan of the NPM open source code repository in April turned up several packages using a JavaScript obfuscator to hide their true function. After further investigation, analysts with ...