A supply-chain attack on Red Hat npm packages exploits install-time execution and credential harvesting to infiltrate developer and CI/CD systems with self-propagating malware.
An npm package disguised as an OpenAI Codex interface with 29,000 weekly downloads steals authentication tokens and enables attackers to abuse APIs under stolen identities.