Attackers Are Hunting High-Impact Node.js Maintainers in a C...

socket.dev

Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

3 pages link to this URL

Newsletter #013: Large Phishing Operations Against Maintainers 🎯

blog.ulisesgascon.com Ulises Gascon Apr 7, 2026

A coordinated phishing campaign is targeting high-impact open source maintainers. Plus: Scorecard v6 evolving into a security evidence engine, 12 CVEs patched across undici, fastify, path-to-regexp and lodash, and a conversation about Node.js in production.

0 inbound links Article en

Why “Trusted Publishing” Can’t Save Us from Social Engineering

Adventures in Nodeland Matteo Collina May 2, 2026

Unmasking the risky illusion of npm's "trusted publishing" amidst recent cyber attacks.

0 inbound links website en

The case for dependency cooldowns in a post-axios world | Datadog Security Labs

Datadoghq Kennedy Toomey Apr 16, 2026

Understanding npm and the importance of dependency cooldowns.

1 inbound link article en