JFrog Security Real Time Posts

Last Updated On 30 Jun, 2026

Lazarus-Linked npm Malware Masquerades as Rollup Polyfills

JFrog Security Research identified malicious npm packages masquerading as Rollup polyfill tooling and leading to a multi-stage JavaScript payload.

Published on 30 Jun, 2026

Real Time Post

Shai-Hulud Continues: Hades Payload Hits Leo/RStreams npm Packages

Yair Benamou, JFrog Security Researcher

JFrog Security Research identified a new Shai-Hulud/Hades npm wave affecting 20 packages in the Leo/RStreams ecosystem.

Published on 25 Jun, 2026

Real Time Post

Dissecting and Exploiting Linux LPE Variant: DirtyClone (CVE-2026-43503)

By Eddy Tsalolikhin, JFrog Security Researcher and Or Peles, JFrog Vulnerability Rearcher

During an audit of recent Linux kernel patches, the JFrog Security Research team identified that despite fixes addressing the DirtyFrag vulnerability family, a residual issue remained unaddressed.

Published on 25 Jun, 2026

Real Time Post

Hijacked npm Packages Use Novel VSCode Autorun and Blockchain Dead Drops to Deploy a Credential/Crypto Stealer

Guy Korolevski and Yair Benamou, JFrog Security Researchers

JFrog Security Research identified two hijacked npm packages, `html-to-gutenberg` and `fetch-pacage-assets`, that used a hidden VS Code task to launch a multi-stage malware chain. The payloads used blockchain transaction data as dead drops, installed JavaScript and Python runtime components, and deployed a backdoor and infostealer targeting credentials, browsers, wallets, developer tools, and environment secrets.

Published on 24 Jun, 2026

Real Time Post

From PostCSS Masquerading to Windows RAT

Yair Benamou, JFrog Security Researcher

JFrog Security Research analyzed a suspicious npm package named postcss-minify-selector-parser. The package impersonates the popular PostCSS selector-parser ecosystem and hides a multi-stage payload that downloads a Windows Python/Nuitka RAT.

Published on 22 Jun, 2026

Real Time Post

easy-day-js: Supply Chain Campaign Targets Mastra npm Packages

Guy Korolevski, JFrog Security Researcher

A supply chain campaign targeting Mastra npm packages added the malicious `easy-day-js` dependency, causing installs to execute a staged Node.js backdoor with persistence, reconnaissance, C2 polling, and remote code execution.

Published on 17 Jun, 2026

Real Time Post

The malware that wants your AI scanner to look away

David Cohen, JFrog Security Researcher

The JFrog Security Research team discovered a very interesting sample of Shai Hulud bypassing most of AI-fueled scanners

Published on 15 Jun, 2026

Real Time Post

Solana FakeFix: 25 Malicious npm and PyPI Packages Lure Developers With Fake Stable Builds

Guy Korolevski and Andrii Polkovnychenko, JFrog Security Researchers

JFrog Security Research identified Solana FakeFix, a campaign of 24 malicious npm and PyPI packages that lured Solana developers with fake stable-build fixes while stealing wallets, developer tokens, and CI secrets.

Published on 11 Jun, 2026

Real Time Post

IronWorm: Shai-Hulud's rustier cousin

JFrog Security Research Team

In this article we present research on a malicious npm package that led us to IronWorm: a Rust-built infostealer that scrapes secrets from developer machines, hides behind an eBPF kernel rootkit, and uses Tor for C2. Like Shai-Hulud, it turns stolen credentials into a propagation mechanism, committing itself into victims' GitHub repositories and publishing to the NPM registry.

Published on 3 Jun, 2026

Real Time Post

Shai-Hulud - Miasma: The Spreading Blight Hits Red Hat npm Packages

Guy Korolevski, JFrog Security Researcher

JFrog Security Research analyzed 31 hijacked `@redhat-cloud-services` npm package versions carrying a new Shai-Hulud variant. The campaign, identified in the payload as "Miasma: The Spreading Blight", uses install-time execution, layered JavaScript obfuscation, Bun-based payload delivery, credential theft, GitHub and npm propagation, and destructive persistence.

Published on 1 Jun, 2026