Npm

The `undici` WebSocket client is vulnerable to CVE-2026-12151, a high-severity denial of service attack where a malicious WebSocket server can stream numerous small continuation frames that bypass `maxPayloadSize` checks, causing unbounded memory growth and exhaustion in affected client processes.

A critical vulnerability, CVE-2026-0755, in npm's gemini-mcp-tool package allows for OS command injection on Windows systems due to improper handling of unquoted cmd.exe metacharacters, and arbitrary local file exfiltration via the @file parser when processing untrusted prompt input, leading to potential remote code execution and sensitive data compromise.

The npm package `praisonai` versions 1.2.3 through 1.7.1 contain a network isolation bypass vulnerability (GHSA-gqmf-56h7-rrpf) in its `SandboxExecutor` component's `network-isolated` mode, allowing non-proxy-aware client commands to establish direct network connections, leading to potential data exfiltration and access to internal services.

A critical command injection vulnerability exists in the `npm:praisonai` package versions >= 1.2.3 and <= 1.7.1, where the `SandboxExecutor`'s `allowedCommands` policy is bypassed by allowing arbitrary shell command chaining after an allowlisted command, leading to remote code execution with the PraisonAI process privileges.

A vulnerability in undici's ProxyAgent, when configured with a SOCKS5 proxy, causes the `requestTls` option to be silently dropped. This bypasses user-configured TLS certificate validation settings (e.g., custom CAs), allowing HTTPS connections through the SOCKS5 tunnel to fall back to the Node.js default trust store. This flaw enables Man-in-the-Middle (MITM) attacks, where any publicly-trusted certificate for the target hostname would be accepted, compromising the intended certificate pinning and allowing attackers to read or tamper with HTTPS traffic.

The npm `praisonai` package's TypeScript `AgentOS` HTTP server defaults to `0.0.0.0` and exposes unauthenticated API endpoints (`/api/agents`, `/api/chat`), allowing attackers to disclose agent configurations and invoke agents without authorization, leading to potential data exfiltration, unauthorized actions, and resource consumption.

The Lazarus Group is conducting a brandjacking campaign on npm, using dozens of malicious packages like 'buffer-utilities' to deploy a Node.js backdoor that collects host information, establishes C2 communication, and maintains persistent attacker-controlled code execution, primarily targeting developers.

The Atomic Arch campaign compromises orphaned Arch User Repository (AUR) packages, modifying their PKGBUILDs to install malicious npm/Bun dependencies like 'atomic-lockfile,' which deploy a Linux payload with credential harvesting, eBPF-based stealth, anti-debugging, and data exfiltration capabilities, impacting approximately 1,500 packages.

Multiple npm packages within the legitimate @redhat-cloud-services namespace have been hijacked with malicious code, posing a supply chain risk.

A supply chain attack compromised over 30 npm packages under Red Hat's '@redhat-cloud-services' namespace, distributing a credential-stealing malware variant named 'Miasma' that targets sensitive developer information.

Attackers are compromising npm packages to distribute a RAT linked to PolinRider, directly injecting malicious code into the software supply chain.

@hulumi/drift versions before 1.3.2 could accept externally supplied execute plans without sufficient provenance checks, allowing unsafe reconciliation input to be treated as trusted; upgrade to version 1.3.2 or later to resolve this vulnerability.

Compromised versions of `@cap-js/sqlite@2.2.2`, `@cap-js/postgres@2.2.2`, and `@cap-js/db-service@2.10.1` were published, leading to credential harvesting and attempted self-propagation; upgrade immediately and rotate credentials.

Between May 11th and May 12th of 2026, a threat actor compromised an npm publish token to publish 18 malicious versions of the '@beproduct/nestjs-auth' package (versions 0.1.2 through 0.1.19) containing payloads from the Mini Shai-Hulud npm supply-chain worm campaign that exfiltrated npm tokens, GitHub PATs/OAuth tokens, AWS credentials, and Vault tokens, impacting developer environments.

The Shai-Hulud campaign is back and targets maintainer accounts to publish malicious code directly into the software supply chain via npm, recently hitting the Ant Design (AntV) ecosystem and potentially exposing downstream developers to credential theft and remote code execution.

A prototype pollution vulnerability exists in the @tmlmobilidade/utils package before version 20260509.0340.15, specifically affecting the setValueAtPath() function, potentially leading to denial of service or arbitrary code execution.

Hackers injected credential-stealing malware into newly published versions of the node-ipc npm package in a supply chain attack, collecting cloud credentials, SSH keys, CI/CD secrets, and other sensitive data, exfiltrating it through DNS TXT queries.

OpenAI was impacted by the TanStack supply chain attack, resulting in two employee devices being compromised and the exfiltration of credential material from internal source code repositories.

A local file inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the `browser` field in `package.json` within esm.sh, allowing an attacker to publish a malicious npm package that causes the server to read arbitrary files from the host filesystem.

Multiple npm and PyPi packages, including OpenSearch pre-release packages, were compromised in a supply chain attack, potentially leading to arbitrary code execution on developer or user systems.

The Shai-Hulud malware was used in a large-scale software supply-chain attack compromising hundreds of packages across open-source software ecosystems by compromising developer secrets and CI/CD pipelines.

The Mini Shai-Hulud supply chain campaign, attributed to TeamPCP, has compromised several npm packages, including those within the @tanstack, @uipath, and @mistralai namespaces, leading to credential theft and potential further compromise.

A compromised version (7.0.4) of the intercom-client npm package was published using a compromised developer account, containing obfuscated JavaScript that executed during installation to harvest and exfiltrate credentials from the environment, as part of the 'Mini Shai-Hulud' supply chain campaign.

The `ssrfcheck` npm package is vulnerable to SSRF bypass due to an incomplete denylist of IP addresses. The package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid, allowing potential SSRF attacks. All versions up to and including 1.1.1 are affected. A patch has been released in version 1.2.0.

A remote attacker can exploit a compromised Bitwarden CLI npm package to steal credentials and exfiltrate sensitive information.

Threat actors are compromising npm packages, including those targeting SAP developers, to steal credentials, embed themselves in CI/CD pipelines, and deploy multi-stage payloads using techniques like wormable propagation and covert C2 channels on GitHub.

The Mini Shai-Hulud campaign injected malicious code into SAP NPM packages, targeting credentials and cloud secrets related to SAP Cloud Application Programming (CAP) and SAP cloud deployment workflows, exfiltrating data through public GitHub repositories.

Multiple official SAP npm packages were compromised via a supply chain attack, likely by TeamPCP, to steal credentials and authentication tokens from developers' systems.

The April 2026 Red Canary Intelligence Insights highlights the axios npm compromise, TeamPCP's LiteLLM compromise via PyPI, and a surge in Microsoft Teams phishing, leading to RAT deployment, credential harvesting, ransomware deployment, or data theft.

The CanisterSprawl malware campaign targets npm packages, using a self-propagating approach to steal sensitive data from developer machines, including tokens and API keys, and attempting to publish malicious packages using hijacked credentials.

A vulnerability in the `compressing` npm package (<=v2.1.0) allows for arbitrary file overwrite via symlink path traversal, bypassing a previous patch for CVE-2026-24884.

The openclaw package versions prior to 2026.4.10 are vulnerable to environment variable injection, where the exec environment policy missed interpreter startup variables allowing operator-supplied environment overrides to influence downstream execution or network behavior, addressed in versions 2026.4.10 and later.

OpenClaw before 2026.3.24 is vulnerable to arbitrary code execution via local plugin and hook installation, where an attacker can craft a .npmrc file with a git executable override to execute malicious code during npm install.

OpenClaw versions 2026.4.2 and earlier are vulnerable to a trust model issue where authenticated wake hooks or mapped wake payloads can be promoted into the trusted System prompt channel, potentially leading to security vulnerabilities within the OpenClaw trust model.

A threat actor published 36 malicious NPM packages disguised as Strapi plugins in a supply chain attack, designed to execute code, escape containers, harvest credentials, and establish persistent implants on Linux systems targeting Strapi users, with specific focus on the Guardarian cryptocurrency payment gateway.

North Korean threat actors (UNC1069) compromised the Axios npm package by socially engineering a maintainer with a fake Microsoft Teams update delivering a RAT, leading to the injection of a malicious dependency and a supply chain attack.

A supply chain attack on the Axios NPM package injected malicious code into versions v1.14.1 and v0.30.4, leading to the deployment of platform-specific remote access trojans (RATs) after the installation of a rogue dependency that communicated with attacker-controlled infrastructure to retrieve malicious payloads for Windows, MacOS, and Linux.

Compromised versions of the `axios` npm package introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT), impacting users of `@usebruno/cli` who ran `npm install` between 00:21 UTC and ~03:30 UTC on March 31, 2026, potentially leading to credential exfiltration.

The openclaw package is vulnerable to arbitrary file read and credential exfiltration due to media local roots self-whitelisting in `appendLocalMediaParentRoots`, allowing a model to initiate arbitrary host file reads, potentially leading to credential exfiltration.

A critical vulnerability in the openclaw npm package (<=2026.3.28) allows a heartbeat context inheritance to bypass the sandbox via senderIsOwner escalation, patched in version 2026.3.31.

The openclaw npm package is vulnerable to Python package-index redirection through host execution due to improper sanitization of `PIP_INDEX_URL` and `UV_INDEX_URL`, affecting versions 2026.3.28 and earlier.

The widely used Axios npm package was compromised via a supply chain attack on March 31, 2026, resulting in the publication of malicious versions through a compromised maintainer account.

OpenClaw is vulnerable to symlink traversal via IDENTITY.md appendFile in agents.create/update. An attacker who can place a symlink in the agent workspace can hijack the IDENTITY.md path to append attacker-controlled content to arbitrary files on the system leading to remote code execution, persistent code execution, unauthorized SSH access, or service disruption.

The openclaw npm package before version 2026.3.22 allows unauthorized pre-authentication computation due to improper handling of inbound Nostr DMs, where crypto and dispatch work are performed before enforcing sender and pairing policies.

The pdf-image npm package through version 2.0.0 is vulnerable to OS command injection via the pdfFilePath parameter due to improper sanitization, potentially leading to arbitrary code execution.

TeamPCP deployed the CanisterWorm malware on the NPM package registry following a compromise of the Trivy scanning tool.

A new remote access trojan (RAT) named PylangGhost has been observed on the npm registry, posing a supply chain risk to developers and applications using affected packages.

A vulnerability in OpenClaw versions 2026.4.21 and earlier allows a non-owner loopback client to spoof the owner context by manipulating request headers, potentially gaining unauthorized access to owner-gated operations.

The validator-mode sandbox executor in @evomap/evolver versions 1.70.0-beta.4 and earlier places `npm` and `npx` in its executable allowlist, allowing arbitrary code execution because validator nodes consume unsigned Hub responses without signature checks, leading to remote code execution on every validator node via lifecycle scripts.

A command injection vulnerability exists in electerm's install.js due to insufficient validation in the runLinux() function, allowing attackers to execute arbitrary commands by manipulating remote release metadata.

A time-of-check/time-of-use (TOCTOU) race condition in OpenClaw versions 2026.4.21 and earlier allows a symlink swap to redirect filesystem writes outside the intended sandbox mount root, potentially leading to arbitrary file modification.