ZDNet

Npm package caught stealing sensitive Discord and browser files

Security researchers at Sonatype have discovered today an npm package (JavaScript library) that contains malicious code designed to steal sensitive files from a user's browsers and Discord application ...
Bleeping Computer

npm Pulls Malicious Package that Stole Login Passwords

A malicious package was removed today from the npm repository after it was discovered that it stole login information from the computers it was installed on. The npm repository is a popular online ...
Threat Post

NPM Package Steals Passwords via Chrome’s Account-Recovery Tool

In another vast software supply-chain attack, the password-stealer is filching credentials from Chrome on Windows systems via ChromePass. A credentials-stealing code bomb that uses legitimate password ...