Live Threats
[CVE-2026-1234]Windows CLFS Driver zero-day — active exploitation in the wild, patch immediately|
[CVE-2026-0891]Fortinet FortiOS auth bypass — unauthenticated RCE on SSL-VPN appliances|
[CVE-2026-2201]Palo Alto PAN-OS command injection — CVSS 9.8, firewall management interfaces exposed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed, 12 rated Critical|
[BREACH]Healthcare provider data breach exposes 2.3M patient records — HIPAA enforcement expected|
[CVE-2026-1887]Chrome V8 engine type confusion — remote code execution via malicious web pages|
[COMPLIANCE]PCI DSS 4.0.1 deadline approaching — multi-factor authentication now mandatory for all access|
[CVE-2026-3310]Cisco IOS XE privilege escalation — network devices running 17.x firmware at risk|
[RANSOMWARE]LockBit 4.0 variant targeting SMBs via exposed RDP — San Antonio businesses at elevated risk|
[ADVISORY]Adobe Acrobat Reader critical update — PDF-based phishing campaigns exploiting unpatched installs|
[CVE-2026-1234]Windows CLFS Driver zero-day — active exploitation in the wild, patch immediately|
[CVE-2026-0891]Fortinet FortiOS auth bypass — unauthenticated RCE on SSL-VPN appliances|
[CVE-2026-2201]Palo Alto PAN-OS command injection — CVSS 9.8, firewall management interfaces exposed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed, 12 rated Critical|
[BREACH]Healthcare provider data breach exposes 2.3M patient records — HIPAA enforcement expected|
[CVE-2026-1887]Chrome V8 engine type confusion — remote code execution via malicious web pages|
[COMPLIANCE]PCI DSS 4.0.1 deadline approaching — multi-factor authentication now mandatory for all access|
[CVE-2026-3310]Cisco IOS XE privilege escalation — network devices running 17.x firmware at risk|
[RANSOMWARE]LockBit 4.0 variant targeting SMBs via exposed RDP — San Antonio businesses at elevated risk|
[ADVISORY]Adobe Acrobat Reader critical update — PDF-based phishing campaigns exploiting unpatched installs|
View All
Supply Chain Attack: 14 Malicious npm Packages Downloaded 2.3 Million Times
Security News/Issue #16 — April 7 – April 13, 2026
THREAT INTELHIGH

Supply Chain Attack: 14 Malicious npm Packages Downloaded 2.3 Million Times

April 10, 2026
4 min read
Source: Socket Security / npm Security Team
Executive Summary

Security researchers discovered 14 malicious npm packages that had been quietly injecting credential-stealing code into Node.js applications for over 6 months. The packages mimicked popular libraries with typosquatting names.

What Happened

Socket Security researchers discovered 14 malicious npm packages that had been published to the npm registry and downloaded approximately 2.3 million times over a period of six months. The packages used typosquatting — naming themselves with slight variations of popular, legitimate packages — to trick developers into installing them. For example, a package named "lodahs" instead of "lodash" or "expres" instead of "express". Once installed, the packages injected credential-stealing code that ran silently in the background, collecting environment variables, API keys, database credentials, and other sensitive information and sending it to attacker-controlled servers.

What Data Was Stolen

The malicious packages were designed to steal environment variables, which in Node.js applications often contain database connection strings, API keys, cloud provider credentials, and other sensitive configuration data. The packages also attempted to steal SSH keys and other credential files from the developer's home directory. In production environments, this could mean that attackers now have access to database credentials, cloud infrastructure credentials, and API keys for third-party services. Organizations that ran affected packages in production should assume that all environment variables and credentials on those systems are compromised.

Immediate Actions for Development Teams

First, check your package.json and package-lock.json files against the list of 14 malicious packages published by Socket Security (available at socket.dev/blog). If any of the malicious packages are present, remove them immediately and rotate all credentials that may have been exposed. Run npm audit on all of your projects to identify known vulnerabilities in your dependencies. Implement a software composition analysis (SCA) tool such as Snyk, Socket, or GitHub's Dependabot to automatically scan for malicious and vulnerable packages in your CI/CD pipeline. Consider implementing a policy requiring security review before adding new npm packages to your projects.

Key Takeaways & Action Items
  • Audit your package.json files for the 14 malicious packages listed in the Socket Security advisory
  • Run a dependency security scan using npm audit or a dedicated SCA tool
  • Implement a software composition analysis (SCA) tool in your CI/CD pipeline
  • Review your npm package installation policies — consider requiring package review before installation
  • Rotate any credentials that may have been exposed on systems running affected packages

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #16: April 7 – April 13, 2026
PREVIOUS ARTICLE
Adobe Acrobat & Reader: 12 Critical Vulnerabilities Patched
NEXT ARTICLE
PCI DSS 4.0.1 — Are You Ready? Key Requirements Now Mandatory
Talk with Us