Researchers say the campaign uses a browser-based JavaScript VM to hide credential theft and intercept MFA at scale.

Requires Node v24.13.1 or higher ES5 support only. No complex features: async, generator, and even try..finally aren't supported. Experimental. Expect issues. Try the ...

Over 170 TanStack, Mistral AI, OpenSearch, UiPath, and other packages were affected in a new Mini Shai-Hulud supply chain ...

TeamPCP’s Mini Shai-Hulud campaign used hijacked GitHub OIDC tokens to spread a credential-stealing worm through TanStack npm ...

Mini Shai-Hulud worm compromises 169 npm packages including TanStack Mistral AI; TeamPCP uses stolen OIDC tokens.

Hundreds of npm packages infected by the self-propagating, credential-stealing worm from TeamPCP are related to the open ...

Fake OpenAI Privacy Filter hit #1 on Hugging Face with 244,000 downloads, spreading infostealer malware to Windows users.

An attacker poisoned 84 TanStack npm versions across 42 packages, stealing GitHub OIDC tokens and cloud keys while planting a ...

ClickFix relies on tricking users into essentially hacking themselves by running commands that compromise their computers. In ...

On April 29, 2026, someone hijacked four widely used SAP packages on the npm registry, slipped credential-stealing malware ...

A new wave of the Mini Shai-Hulud campaign compromised dozens of TanStack npm packages as part of a broader supply chain ...

However, the biggest human element threat in 2026 isn’t just password reuse – it’s the accidental insider threat created by ...