devtake.dev

devtake.dev — #npmArticles tagged npm on devtake.dev.https://devtake.dev/en-usRed Hat's npm namespace and Arch's AUR were both backdoored within two weeks of each otherhttps://devtake.dev/article/npm-registry-supply-chain-wave/https://devtake.dev/article/npm-registry-supply-chain-wave/A worm hijacked Red Hat's npm namespace, a rootkit spread through 1,500 Arch AUR packages, and a SOC 2-certified AI gateway shipped malware. Registries are under fire.Sat, 13 Jun 2026 12:45:00 GMTsecuritysecuritysupply-chainnpmopen-sourcemalwareluca-reinhardtTanStack published its npm supply-chain postmortem. The attack chained three GitHub Actions flaws.https://devtake.dev/article/tanstack-npm-supply-chain-postmortem/https://devtake.dev/article/tanstack-npm-supply-chain-postmortem/Attackers compromised 42 TanStack packages through a pull_request_target exploit, cache poisoning, and OIDC token theft. An external researcher caught it in 20 minutes.Tue, 12 May 2026 10:15:00 GMTsecuritysecuritysupply-chainnpmtanstackgithub-actionscredential-theftdev-toolsluca-reinhardtAnother npm worm: CanisterWorm hits 16 Namastex packages and reaches PyPI on the same hophttps://devtake.dev/article/canisterworm-namastex-npm-pypi-supply-chain/https://devtake.dev/article/canisterworm-namastex-npm-pypi-supply-chain/Socket flagged a self-propagating worm in @automagik/genie, pgserve, and 14 sibling Namastex Labs packages. It steals 40 credential categories and republishes itself.Tue, 28 Apr 2026 16:30:00 GMTsecuritynpmsupply-chaincanisterwormsecuritynamastexteampcppypicredential-theftluca-reinhardtMalicious npm and PyPI packages turn dev servers into Chinese LLM proxieshttps://devtake.dev/article/gpt-proxy-npm-supply-chain/https://devtake.dev/article/gpt-proxy-npm-supply-chain/Aikido found a stage-2 Go binary inside two health-check-themed packages that runs an OpenAI-compatible router routing Claude, GPT, and Gemini traffic through Chinese aggregators.Sat, 25 Apr 2026 07:30:00 GMTsecuritysupply-chainnpmpypiai-securitymalwarellmchinacredential-theftluca-reinhardtBitwarden CLI got backdoored for 90 minutes. The worm calls itself 'Shai-Hulud: The Third Coming.'https://devtake.dev/article/bitwarden-cli-shai-hulud-npm-worm/https://devtake.dev/article/bitwarden-cli-shai-hulud-npm-worm/A malicious @bitwarden/cli@2026.4.0 hit npm on April 22. The payload steals npm tokens, cloud secrets, and Claude Code credentials, then self-replicates.Thu, 23 Apr 2026 19:00:00 GMTsecuritybitwardenshai-huludnpmsupply-chainwormcredential-theftcheckmarxcicdluca-reinhardtprotobuf.js RCE: a 52M/week npm package was one bad type name from code executionhttps://devtake.dev/article/protobuf-javascript-rce-cve/https://devtake.dev/article/protobuf-javascript-rce-cve/GHSA-xq3m-2v4x-88gg hits protobuf.js ≤8.0.0 / ≤7.5.4. Attacker-controlled schemas executed arbitrary JS on decode. One-line fix patched it.Tue, 21 Apr 2026 12:00:00 GMTsecuritynpmprotobufjavascriptsupply-chainrceendor-labsgrpcluca-reinhardt