-
Multiple npm packages have been compromised as part of a software supply chain attack after a maintainer’s account was compromised in a phishing attack. The attack targeted Josh Junon (aka Qix), who received an email message that mimicked npm (“support@npmjs[.]help”), urging them to update their update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity researchers at Silent Push have uncovered a sophisticated Chinese espionage operation linking two prominent threat actors, Salt Typhoon and UNC4841, revealing previously unreported infrastructure used to target government and corporate networks across more than 80 countries. The discovery of 45 malicious domains dating back to 2020 demonstrates the extensive reach and long-term persistence of […]
The post Chinese Hackers Salt Typhoon and UNC4841 Team Up to Breach Critical Infrastructure appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
In the largest supply chain attack, hackers compromised 18 popular npm packages, which together account for over two billion downloads per week. The attack, which began on September 8th, involved injecting malicious code designed to steal cryptocurrency from users.
The compromised packages include widely used libraries such as
chalk,debug,ansi-styles, andsupports-color. The malicious code was added in new versions of these packages and was engineered to execute on the client-side of websites using them.The malware silently intercepts cryptocurrency and Web3 activities within the browser, manipulating wallet interactions and rewriting payment destinations to redirect funds to attacker-controlled accounts.
Popular npm Packages Hacked
The malware operates as a sophisticated in-browser interceptor, targeting both network traffic and application-level APIs. It achieves this by hooking into core browser functions like
fetchXMLHttpRequest, as well as interfaces for popular crypto wallets for Ethereum, Solana, and other blockchains, Akidio observed.The malicious code works in a series of steps:
- Injection and Hooking: It embeds itself into the browser environment and takes control of functions related to web requests and wallet communications.
- Scanning for Sensitive Data: The malware actively scans network responses and transaction details for patterns matching cryptocurrency wallet addresses for various blockchains, including Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash.
- Rewriting Wallet Addresses: Upon finding a legitimate address, the malware replaces it with a look-alike address from a hardcoded list belonging to the attackers. This is done using string-matching algorithms to make the swap less noticeable to the user.
- Hijacking Transactions: The code alters transaction parameters before the user signs them. This means that even if the user interface displays the correct recipient address, the signed transaction will route funds or grant token approvals to the attackers.
The maintainer of the compromised packages revealed they fell victim to a phishing attack. An email, seemingly from npm support, was sent from the domain
npmjs.help, tricking the developer into revealing their credentials, according to a Hacker News post.This domain was registered only three days before the attack on September 5, 2025.
Phishing Mail compromised the developer The maintainer became aware of the compromise and began taking steps to remove the malicious versions of the packages. However, at the time of the report, at least one package,
simple-swizzle, remained compromised.The incident also revealed that the same attackers may have compromised another package,
proto-tinker-wc, using similar methods.The following table lists the affected packages and the compromised versions:
Package Malicious Version backslash0.2.1 chalk-template1.1.1 supports-hyperlinks4.1.1 has-ansi6.0.1 simple-swizzle0.2.3 color-string2.1.1 error-ex1.3.3 color-name2.0.1 is-arrayish0.3.3 slice-ansi7.1.1 color-convert3.1.1 wrap-ansi9.0.1 ansi-regex6.2.1 supports-color10.2.1 strip-ansi7.1.1 chalk5.6.1 debug4.4.2 ansi-styles6.2.2 Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Hackers Hijacked 18 Very Popular npm Packages With 2 Billion Weekly Downloads appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Hackers have hijacked 18 extremely popular npm packages, downloaded more than 2 billion times every week, injecting them with sophisticated malware that targets cryptocurrency users and developers. Early on September 8th, a security feed flagged the sudden update of 18 npm packages—including favorites like chalk, debug, chalk-template, and supports-color—with malicious code, as per a report by Aikio. These packages […]
The post Hackers Hijack 18 Popular npm Packages Downloaded Over 2 Billion Times Weekly appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Venezuelan President Nicolás Maduro made bold claims about cybersecurity during a press conference on September 1, 2025, as he showcased a Huawei smartphone gifted to him by Chinese President Xi Jinping. Holding up the device before international media in Caracas, Maduro declared it “the best phone in the world” and asserted that “the Americans can’t […]
The post Maduro Hails Huawei Mate X6 Gift From China as ‘Unhackable’ by U.S. appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Qualys has confirmed that it was recently impacted by a cybersecurity campaign targeting Salesloft and Drift, two third-party SaaS platforms that integrate with Salesforce. The company emphasized that customer data and its own production environments on the Qualys Cloud Platform remain fully secure, with no disruption to operations or services. The incident, which is described […]
The post Qualys Confirms Cyberattack Campaign Targeting Salesforce via Salesloft and Drift appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Threat hunters have discovered a set of previously unreported domains, some going back to May 2020, that are associated with China-linked threat actors Salt Typhoon and UNC4841. “The domains date back several years, with the oldest registration activity occurring in May 2020, further confirming that the 2024 Salt Typhoon attacks were not the first activity carried out by this group,” Silent Push
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The Trump administration on Monday asked the Supreme Court to overturn a lower court’s ruling and allow it to withhold $4 billion in foreign aid that was previously approved by Congress.
The case is one of many lawsuits challenging the White House’s efforts to supersede Congress’ spending authority by canceling funding without lawmakers’ explicit approval.
This particular case became more complicated in late August when the Trump administration sent Congress a rescission request, asking lawmakers to cancel billions in foreign aid, including some of the funding subject to this lawsuit.
This “pocket rescission,” as it’s sometimes called, came within 45 days of the end of the fiscal year. Under the Trump administration’s interpretation of the law, they believe that allows them to cancel the funding even if Congress refuses to go along with the proposal.
The move is considered illegal by the nonpartisan Government Accountability Office and evoked ire from senior lawmakers, including Senate Appropriations Chairwoman Susan Collins, R-Maine.
“Article I of the Constitution makes clear that Congress has the responsibility for the power of the purse,” Collins wrote in a statement. “Any effort to rescind appropriated funds without congressional approval is a clear violation of the law.”
Administration sees executive branch ‘at war with itself’
The appeal to the Supreme Court filed Monday urges the justices to let the legislative and executive branches figure out the spending dispute on their own and criticizes a federal district court for ordering the Trump administration to spend the money.
“The injunction requires the Executive Branch to rush to obligate the same $4 billion that the President has just proposed rescinding between now and September 30, and thus puts the Executive Branch at war with itself,” wrote Solicitor General D. John Sauer. “Just as the President is pressing for rescission and explaining to Congress that obligating these funds would harm U.S. foreign policy interests, his subordinates are being forced to proceed to identify and even negotiate with potential recipients.”
The pocket rescissions request at the center of this case is separate from the one Trump sent Congress in early June that asked members to eliminate funding for numerous foreign aid accounts and the Corporation for Public Broadcasting. Lawmakers approved that proposal in July after preserving full funding for the President's Emergency Plan for AIDS Relief, or PEPFAR.
Congress has yet to act on the second rescissions request as its leaders look for ways to fund the government ahead of an Oct. 1 shutdown deadline.
Attorneys for the organizations that brought the lawsuit — the AIDS Vaccine Advocacy Coalition and Global Health Council — wrote in a brief to the Supreme Court submitted Monday that they opposed the Trump administration's request to overturn the lower court’s preliminary injunction.
“USAID and the State Department have been under a duty to obligate these funds since at least March 2024, when Congress enacted the appropriations; they chose not to act sooner,” they wrote. “The government faces no cognizable harm from having to take steps to comply with the law for the short period while this Court considers its stay application.”
This story was originally published by Stateline.
]]>¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The new guard of dominant defense contractors notched big wins over the weekend, as the Army awarded $159 million to Anduril and $195 to Rivet, a startup with Palantir funding, to develop wearable virtual displays as part of the service’s Soldier Borne Mission Command program.
SBMC is a follow-on project to the Integrated Visual Augmentation System, which is limited to a headset, while SBMC includes complementary computers and wearables like watches. In the end, Anduril founder Palmer Luckey told reporters on Monday, there will probably be “dozens” of different headsets under the program, rather than one contractor picked to make one product.
“I actually think that probably most of the SBMC hardware that is sold to the Army over the next 10 years…is not going to be made by Anduril. It's not going to be made by any of the people who are competing for it,” he said. “It's going to be made, basically, by adaptations of commercial devices as augmented reality and virtual reality devices proliferate.”
Anduril also has the contract to create the software for SBMC, which will integrate what soldiers see through their displays up through their chain of command.
“I don't think that any one headset can be the headset that meets every need for every soldier in the Army,” Luckey said. “I think that was one of, actually, the major mistakes…of prior soldier augmentation systems. When you try to build one heads-up display that is the right system for a frontline infantryman, and a rotary-wing pilot, and a logistician, and someone doing training, and you're trying to make it the right headset for day and for night and for dismounted use, vehicle-mounted use…when you try to be everything to everybody, you have to make so many compromises that you built something that, in the end, is not really the right thing for anyone.”
That said, Luckey has dubbed himself “the world’s best head-mounted display designer,” going back to his creation of the Oculus Rift, an early, commercially-available VR headset.
“There's nobody better than me, and I know what I'm doing, and I'm going to make sure that we do it the right way. And we've already proven that we're making things that do not make people sick. They do not make them throw up,” Luckey said, alluding to problems with previous IVAS prototypes. “If you're going to make something somebody wears on their face, there's a high level of friction and compromise. You need to make it very lightweight. You need to be brutal about the design of the thing, making it extremely comfortable, extremely light. And you need to make sure that it is only enhancing their experience of viewing the world, not degrading it.”
Rivet, similarly, is focusing on “comfort, ruggedization, utility and compliance,” CEO Dave Marra told Defense One on Friday.
Marra said his company’s prototype will integrate an array of voice commands to connect logisticians, maintainers and others on the battlefield and create predictive intelligence.
“These kinds of natural language interactions are the most critical element to enable,” he said. “So you think, ‘I have to control robots, and I have to do it without significant training and learning. I want to recognize nouns on the battlefield that could be a target: that could be a good guy, a bad guy, or another noun on the factory floor. I want to identify anomalies, more importantly, correlate in these data sets.’”
The program will be a key proving ground for the Army’s Transformation-in-Contact strategy, which aims to rapidly develop and field new technology by bringing prototypes into the field for soldiers to test and provide feedback on, and companies can quickly incorporate that feedback.
“I don't think that there's an appetite to spend years playing around with these exercises and demos. There is, there is an appetite to get this stuff into real combat as fast as possible, so we can see where it works, see where it falls apart,” Luckey said. “I'm thinking about this as something where we need to be delivering a system that, like other integral products that are being fielded in combat, it needs to work. It can't break, it can't put people in danger…It can't make people cybersick. And that is how we are treating this, regardless of whether it's named as a prototype sprint.”
]]>¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The Marine Corps plans to push ahead with buying the Joint Light Tactical Vehicle to replace its Humvees, though it may end up with fewer than planned if the Army’s sudden exit drives up the cost per vehicle.
In May, the Army announced a spate of cuts that would, among other things, end its purchases of the JLTV. The service, which has been fielding the vehicles since 2019, was still taking delivery under a joint order for 30,000 in 2023.
The Marine Corps has procured half of its total 15,000 planned buy of JLTVs, spokesman David Jordan told Defense One.
While the Marines have discussed next steps with the Army and AM General, JLTV’s manufacturer, it’s unclear how the larger service’s exit will affect things.
The Army was not able to respond to questions from Defense One about the state of its JLTV program by press time.
The Corps was “still assessing the full impact of the Army’s abrupt exit from the joint program,” Gen. Eric Smith, the Marine Corps commandant, told the House Appropriations Committee in May.
Smith said he expected the costs of JLTVs to go up, adding, “That’s going to negatively impact the Marine Corps’ ability to fulfill its ground tactical vehicle mobility strategy, which has me concerned.”
At the current negotiated rate, which takes into account the Army’s previous plan to buy tens of thousands of them, a JLTV runs about $400,000 each.
A month later, Smith told the Senate Appropriations Committee that the Corps would have to buy fewer JLTVs without a budget increase, adding that the Army did not consult his service before announcing it would stop buying the vehicles.
At the time, an Army leader told reporters they wouldn’t have to pay any settlement to AM General to cancel the contract, because the latest tranche buy of vehicles had been delivered in January, and the service would simply not be ordering the next round.
AM General did not respond to a request for comment from Defense One, but in a May press release said they were committed to continuing to produce their contractually obligated JLTVs, as well as Humvees.
“As we work to understand the significance of the DOD’s recent communications, we will continue to operate our HUMVEE and JLTV A2 assembly lines and our Aftermarket Fulfillment facility as normal to meet our contractual requirements and serve the Warfighter,” the release said, including a backlog of vehicles scheduled to be delivered through the end of the contract in 2027.
The company stood to net up to $8.6 billion from the full contract, which included an option to re-up for 2028.
“The government has tremendous flexibility on contracts in terms of, you know, they can cancel it anytime,” Jerry McGinn, a senior fellow at the Center for Strategic and International Studies and former senior official in DOD’s Office of Manufacturing and Industrial Base Policy, told Defense One.
Cancellation options are written into every contract, McGinn added, giving the government the right to axe an agreement because of performance, but also for their own convenience, as with the JLTV situation.
“And then the company, they go into these contracts knowing that the government can do this,” he said.
The Marine Corps’s fiscal year 2026 budget request doesn’t include any new JLTVs. However, the House of Representatives’ June committee report on the 2026 DOD funding bill recommends putting $345 million into Army JLTVs and another $169 million for the Corps, a reminder that it’s not always up to the individual services whether they can cancel a program.
While the government is always within its right to cancel a contract, the Army Transformation Initiative does raise some questions about its reliability as a customer, McGinn said.
Companies expect that a new president could come with changes in priorities, he said, but “some administrations are more unpredictable than others.”
]]>¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
