Npm is a tool tracked across 50 threat clusters and 353 intelligence report mentions on ThreatCluster. First observed October 29, 2025; most recent activity July 16, 2026.
The Russian state-backed hacking group Sandworm has intensified its operations against Ukrainian organizations by deploying data-wiping malware. This campaign targets critical sectors, including the grain industry, and…
On July 1, 2026, security firm SlowMist identified a fake trading bot on GitHub designed to spread malware targeting Polymarket users and DeFi developers. The bot, named 'polymarket-arbitrage-bot', was promoted as a…
A critical zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft has been exploited by the ShinyHunters group, leading to breaches of over 100 organizations, primarily in the education sector. The vulnerability…
Malicious npm packages have been identified as vehicles for the PylangGhost remote access trojan (RAT), linked to North Korean state-sponsored group FAMOUS CHOLLIMA. The attack began with the release of compromised…
The Google Threat Intelligence Group (GTIG) reports that North Korean threat actor UNC5342 has adopted a new technique called EtherHiding to deliver malware and facilitate cryptocurrency theft. This method embeds…
Void Dokkaebi, a North Korean threat actor, has escalated its malware distribution tactics by using fake job interviews to compromise software developers. This campaign, known as the 'Contagious Interview,' targets…
A malicious npm package named @validate-sdk/v2, introduced through Anthropic’s Claude Opus AI model, has been linked to a breach in the open-source crypto trading project openpaw-graveyard. This malware, dubbed…
On July 11, 2026, multiple malicious versions of the jscrambler npm package were published, exploiting a compromised npm publishing credential. The affected versions (8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0) included…
On March 31, 2026, a supply chain attack targeting the Axios npm package was attributed to the North Korean cyber group UNC1069. This attack exploited vulnerabilities in the software supply chain, affecting numerous…
On March 24, 2026, two versions of the LiteLLM Python package (1.82.7 and 1.82.8) were compromised on PyPI, embedding credential-stealing payloads. The attack, linked to the TeamPCP threat actor, exploited a…