July 6, 2026
npm install is the new phishing email
108 malicious packages and browser extensions across npm, Golang, and Google Chrome. All tied to North Korean campaign.

By Stanislav Klevtsov
1 min read
In parallel, fake Rollup polyfills are built to steal developer secrets.
DAEMON Tools shipped malware through its own installer in a supply chain compromise.
Attackers deliver malware as a dependency and let you handle the delivery. If your supply chain defense depends on a developer checking a package before install, you are defending against 2019.
Enforce checks against the package, CI, or the registry. Use the free versions of Snyk, Semgrep, or Trivy to do that.
That costs you nothing but saves you from a headache later on.
Developers are lazy. Especially in the age of AI.
Do the Knowledge Sharing and Cyber Awareness. But do not rely solely on people, or, even worse, agents. Agree?
Don't miss
→ Bad Epoll Linux Kernel Flaw Lets Unprivileged Users Gain Root
I recommend
→ Escape benchmarked Anthropic Opus 4.8 with AIkido Security and XBOW to find 4x more vulns than the raw model
→ badkeys/badkeys — Tool by Hanno Böck that checks cryptographic public keys for known vulns
Top CVEs to patch
- Langflow un-auth RCE (CVE-2026–48519)
- Apache Tomcat 9.0/10.1/11.0 (CVE-2026–55957)
- Google Chrome 250+ CVEs, update to 150.0.7871.46
- Microsoft SharePoint PrivEsc (CVE-2023–29357)
- DAEMON Tools Lite supply chain (CVE-2026–8398)
- WordPress ARMember account takeover (CVE-2026–5076)
- NVIDIA Triton Inference Server 8 CVEs (incl. CVE-2026–24207)
- IBM Engineering Lifecycle Management auth bypass (CVE-2026–3660)
- Progress Kemp LoadMaster pre-auth RCE (CVE-2026–8037)
- SimpleHelp OIDC auth bypass (CVE-2026–48558)
Follow me
Join my Telegram channel and LinkedIn to follow security updates.