A phishing campaign has been carried against several popular NPM packages.

A sophisticated phishing campaign led to a major supply chain attack on the NPM ecosystem, compromising 18 highly popular packages with over 2.5 billion weekly downloads. Attackers tricked maintainers into revealing credentials, allowing them to inject browser-based malware designed to hijack cryptocurrency transactions by altering API calls and user interfaces. Although the overall financial impact appears minimal, affected systems are considered fully compromised.

Read more:

https://www.securityweek.com/highly-popular-npm-packages-poisoned-in-new-supply-chain-attack/