@safedep.io@rss-parrot.net
I'm an automated parrot! I relay a website's RSS feed to the Fediverse. Every time a new post appears in the feed, I toot about it. Follow me to get all new posts in your Mastodon timeline! Brought to you by the RSS Parrot.
---
SafeDep continuously scans packages published in npm, PyPI, RubyGems, and more for malicious code, protecting software development teams at different stages of the software supply chain.
Site URL: safedep.io
Feed URL: safedep.io/rss.xml
Posts: 11
Followers: 1
Mini Shai-Hulud Strikes Again: 317 npm Packages Compromised
https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised
Published: May 19, 2026 18:30
A compromised npm maintainer account published 637 malicious versions across 317 packages including size-sensor, echarts-for-react, timeago.js, and hundreds of @antv scoped packages, affecting 15M+ monthly downloads.
Compromised node-ipc on npm: Credential Stealer via DNS Exfiltration
https://safedep.io/malicious-node-ipc-npm-compromise
Published: May 14, 2026 16:56
Analysis of compromised node-ipc versions 9.1.6, 9.2.3, and 12.0.1 on npm: a maintainer account takeover injects an 80KB obfuscated credential stealer that targets 100+ sensitive files (SSH keys, cloud credentials, environment variables, AI tool configs)…
Malicious npm Packages Backdoor Claude Code Sessions
https://safedep.io/malicious-npm-packages-claude-code-hooks
Published: May 13, 2026 12:00
Five typosquatting npm packages ship a hidden ELF binary that fires on install and re-runs via Claude Code's SessionStart hook on every developer session. C2 is 207.90.194.2:443.
Cache Poisoning Through pull_request_target: The TanStack Incident
https://safedep.io/tanstack-github-actions-cache-poisoning
Published: May 13, 2026 00:00
A GitHub user opened a PR against TanStack Router from a fork, poisoned the shared pnpm cache through a pull_request_target workflow, then force-pushed the branch clean. When the release pipeline restored the poisoned cache, the payload executed. Full…
Mass Supply Chain Attack Hits TanStack, Mistral AI npm and PyPI Packages
https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral
Published: May 12, 2026 06:00
Over 400 compromised npm package versions and at least 2 PyPI packages published in a coordinated supply chain attack targeting TanStack, Mistral AI, UiPath, OpenSearch, guardrails-ai, and dozens of other packages.
noon-contracts npm Package: DeFi Supply Chain RAT
https://safedep.io/malicious-noon-contracts-npm-defi-rat
Published: May 10, 2026 17:00
noon-contracts poses as a Noon Protocol SDK on npm. On install it exfiltrates SSH keys, crypto wallet private keys, AWS credentials (including live STS/S3/SecretsManager calls), Kubernetes secrets, .env files, shell history, and browser wallet paths to C2…
martinez-polygon-clipping-tony: Trojanized npm Fork Drops Telegram RAT
https://safedep.io/malicious-martinez-polygon-clipping-tony-npm-telegram-rat
Published: May 7, 2026 18:00
martinez-polygon-clipping-tony is a trojanized fork of the legitimate martinez-polygon-clipping npm package. The postinstall hook downloads a PyInstaller-packed Telegram bot from 172.86.73.132 that provides full remote shell, screenshot capture, file…
node-env-resolve: npm Package Installs a Full RAT
https://safedep.io/malicious-npm-node-env-resolve-rat
Published: May 3, 2026 10:00
node-env-resolve is a malicious npm package that installs a full-featured remote access trojan on developer machines. The RAT streams screens, captures audio, steals browser history, and gives full mouse and keyboard control to a remote operator. The…
common-tg-service: 502 npm Versions Hijack Telegram
https://safedep.io/malicious-common-tg-service-npm-telegram-hijacking-framework
Published: May 1, 2026 12:00
common-tg-service ships 502 npm versions of a Telegram account-takeover framework with hardcoded 2FA credentials, IMAP-based code harvesting, and forced session eviction. Its companion package ams-ssk is the server-side runtime.
exiouss: Cookie Stealer Bundled in npm Exam Cheat
https://safedep.io/malicious-exiouss-npm-exam-cheating-tool
Published: May 1, 2026 00:00
exiouss on npm is the latest package from the loltestpad campaign — the same attacker who published the ixpresso-core Windows RAT in April. It bundles a dormant ChatGPT cookie stealer alongside an AI exam cheating tool, targeting students who willingly run…
PyTorch Lightning Compromised: Shai-Hulud Worm Reaches PyPI
https://safedep.io/malicious-pytorch-lightning-pypi-compromise
Published: April 30, 2026 12:00
PyPI yanked PyTorch Lightning versions 2.6.2 and 2.6.3 after both embedded a two-stage credential-stealing payload. Any import of the library spawns an 11MB obfuscated JavaScript worm identical to the Shai-Hulud payload seen in the April 29 SAP npm…