Attackers exfiltrated sensitive data from thousands of websites, desktop, and mobile applications in a supply chain attack leveraging typo-squatting in popular NPM packages.
Security researchers discovered a “package planting” flaw that allows malware developers to add respected open-source contributors to malicious NPM packages without notification or approval.