Days since last NPM compromiseIt has been
since the last major NPM supply chain compromiseMay 11, 2026:
Postmortem: TanStack npm supply-chain compromise
April 29, 2026:
Official SAP npm packages compromised to steal credentials
April 23, 2026:
Bitwarden CLI npm package compromised to steal developer credentials
April 22, 2026:
Namastex.ai npm Packages Hit with TeamPCP-Style CanisterWorm Malware
April 4, 2026:
OtterCookie Expands Targeting to AI Coding Tools: Analysis of a Trojanized npm Campaign
April 3, 2026:
Thirty-Six Malicious npm Strapi Packages Deploy Redis RCE, Database Theft, and Persistent C2
March 30, 2026:
axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
March 20, 2026:
TeamPCP deploys CanisterWorm on NPM following Trivy compromise
February 18, 2026:
Cline CLI npm Package Compromised via Suspected Cache Poisoning Attack
December 21, 2025:
NPM Package With 56K Downloads Caught Stealing WhatsApp Messages
