The campaign spans npm, Packagist, Go, and Chrome, using obfuscated JavaScript loaders and VS Code tasks to deliver malware.
JFrog says six malicious npm packages used hidden install-time execution, JSONKeeper fetches, and sandbox checks to enable remote access.
This package (jsonstat-toolkit) contains the JSON-stat JavaScript Toolkit. There are three major versions. Version 2 is the last one and should work on any modern browser: it has been developed using ...
On June 24, 2026, Microsoft’s Digital Crimes Unit (DCU) facilitated the takedown, suspension, and blocking of domains that ...
Customer stories Events & webinars Ebooks & reports Business insights GitHub Skills ...