Article Details

New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally

Source: The Hacker News
Published: 2025-06-08 13:47
Fetched: 2025-06-08 14:19
Read Original Article

Summary

A new supply chain attack has been identified, targeting the npm and PyPI ecosystems by compromising over a dozen packages linked to GlueStack. The malware, integrated through a modification in 'lib/commonjs/index.js,' enables attackers to execute shell commands, capture screenshots, and transfer files from compromised systems. Aikido Security highlighted the significant risk, noting that these packages collectively impact a vast number of users globally. This attack underscores the critical need for vigilance in monitoring package dependencies and maintaining robust security protocols in software development environments. The incident serves as a stark reminder of the vulnerabilities inherent in software supply chains and the potential for widespread disruption.

LinkedIn Post

A new supply chain attack hits npm and PyPI, targeting millions globally. Malware in GlueStack packages can execute commands and capture data. A reminder of the critical need for robust security in software supply chains. #Cybersecurity #SupplyChainAttack #DevSecOps

Content

Cybersecurity researchers have flagged a supply chain attack targeting over a dozen packages associated with GlueStack to deliver malware. The malware, introduced via a change to "lib/commonjs/index.js," allows an attacker to run shell commands, take screenshots, and upload files to infected machines, Aikido Security told The Hacker News, stating these packages collectively account for nearly 1