Qix is an open source maintainer account that was compromised by a phishing attack. This allowed attackers to infect 18 popular npm packages with malicious code. Together, these packages are ...

Hackers launched the largest NPM crypto attack in history and compromised 18 JavaScript packages with billions of downloads.

In a supply chain attack, attackers injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack.

On September 8, 2025, a single phishing email triggered one of npm’s most damaging supply chain attacks, compromising 18 ...

What could have been a historic supply chain attack seems to have been averted due to the rapid response of the open source ...