JFrog Security Real Time Posts
Last Updated On 30 Jun, 2026

JFrog Security Research identified malicious npm packages masquerading as Rollup polyfill tooling and leading to a multi-stage JavaScript payload.

JFrog Security Research identified a new Shai-Hulud/Hades npm wave affecting 20 packages in the Leo/RStreams ecosystem.

During an audit of recent Linux kernel patches, the JFrog Security Research team identified that despite fixes addressing the DirtyFrag vulnerability family, a residual issue remained unaddressed.

JFrog Security Research identified two hijacked npm packages, `html-to-gutenberg` and `fetch-pacage-assets`, that used a hidden VS Code task to launch a multi-stage malware chain. The payloads used blockchain transaction data as dead drops, installed JavaScript and Python runtime components, and deployed a backdoor and infostealer targeting credentials, browsers, wallets, developer tools, and environment secrets.

JFrog Security Research analyzed a suspicious npm package named postcss-minify-selector-parser. The package impersonates the popular PostCSS selector-parser ecosystem and hides a multi-stage payload that downloads a Windows Python/Nuitka RAT.

A supply chain campaign targeting Mastra npm packages added the malicious `easy-day-js` dependency, causing installs to execute a staged Node.js backdoor with persistence, reconnaissance, C2 polling, and remote code execution.

The JFrog Security Research team discovered a very interesting sample of Shai Hulud bypassing most of AI-fueled scanners

JFrog Security Research identified Solana FakeFix, a campaign of 24 malicious npm and PyPI packages that lured Solana developers with fake stable-build fixes while stealing wallets, developer tokens, and CI secrets.

In this article we present research on a malicious npm package that led us to IronWorm: a Rust-built infostealer that scrapes secrets from developer machines, hides behind an eBPF kernel rootkit, and uses Tor for C2. Like Shai-Hulud, it turns stolen credentials into a propagation mechanism, committing itself into victims' GitHub repositories and publishing to the NPM registry.

JFrog Security Research analyzed 31 hijacked `@redhat-cloud-services` npm package versions carrying a new Shai-Hulud variant. The campaign, identified in the payload as "Miasma: The Spreading Blight", uses install-time execution, layered JavaScript obfuscation, Bun-based payload delivery, credential theft, GitHub and npm propagation, and destructive persistence.