Cybersecurity

Malicious npm packages abuse dependency confusion to profile developer environments

58 sec read5 views0 listens

The information provided details an advanced and sophisticated cyberattack campaign leveraging npm (Node Package Manager) dependency confusion to deploy malware within multiple organizations. The attacker, initially identified as "mr4nd3r50n," evolved from a bug bounty researcher to a malicious actor over approximately two years, deploying malware through numerous packages across different scopes.

Key Points of the Campaign

Timeline and Evolution:
- April 2024: mr4nd3r50n begins as a bug bounty researcher.
- June 2024: Continues with similar activities, indicating an ongoing interest in exploiting npm dependency confusion.
- May 28, 2026: Launches the first wave of malicious packages under @cloudplatform-single-spa scope.
- May 29, 2026: Expands the campaign using a new account (t-in-one) and additional scopes.
Attack Vectors:
- The attacker leverages dependency confusion by creating fake npm packages with high version numbers to trick developers into installing them instead of legitimate internal packages.
- Packages are designed to mimic official internal tools, making it difficult for organizations to distinguish

Read the full article at Malware Analysis, News and Indicators - Latest topics

Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.

GitHub Trending: Week of May 17 – May 24, 2026

This period 41 repositories trended on GitHub. Here's what the open-source community is building. Top 10 Trending Repositories 1. multica-ai/andrej-karpathy-skills ⭐ 137,069 total · +2,014 today · 🍴 14,057 forks A single CLAUDE.md file to improve Cla...

Ali Nemati

CybersecurityMay 2034 sec read

House Homeland Dems request CISA briefing amid report of leaked agency credentials

House Homeland Security Committee members are demanding an immediate briefing from CISA following reports that a government contractor leaked sensitive AWS GovCloud credentials and internal system data on a public GitHub repository. This security fai...

Ali Nemati

CybersecurityMay 2026 sec read

Put the Moon on Your Desk

A new hardware project utilizes an ESP32-S3 and a circular display to provide a real-time, localized visualization of the Moon's current phase and orientation. This development demonstrates how developers can integrate NASA imagery with geographical ...

Ali Nemati

Tech & GadgetsMay 2030 sec read

Show HN: Hocuspocus 4 - self-hosted Yjs collaboration backend

Hocuspocus 4 has launched as a cross-platform, MIT-licensed WebSocket backend for real-time Yjs collaboration that is no longer restricted to Node.js environments. This major update enables developers to deploy collaborative sync and presence feature...

Ali Nemati

CybersecurityMay 2026 sec read

GitHub says internal repositories were taken in poisoned VS Code extension attack

GitHub confirmed that internal repositories were compromised after an employee's device was infected by a malicious Visual Studio Code extension, highlighting the increasing risks to software development platforms and third-party tools. This incident...

Ali Nemati

Malicious npm packages abuse dependency confusion to profile developer environments

Key Points of the Campaign

Related Articles

GitHub Trending: Week of May 17 – May 24, 2026

House Homeland Dems request CISA briefing amid report of leaked agency credentials

Put the Moon on Your Desk

Show HN: Hocuspocus 4 - self-hosted Yjs collaboration backend

GitHub says internal repositories were taken in poisoned VS Code extension attack