40 npm Packages Compromised in Supply Chain Attack Using bundle.js to Steal Credentials
40 npm Packages Compromised in Supply Chain Attack Using bundle.js to Steal Credentials
16 September 2025
Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers.
"The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling