Nodejs
Mastra npm Scope Hijacked: 144 AI-Framework Packages Backdoored with the easy-day-js Stealer
An attacker hijacked a former contributor's npm account to republish ~144 @mastra packages — including @mastra/core (918K weekly downloads) — each pulling in easy-day-js, a dayjs typosquat that drops a cross-platform crypto/infostealer at install time.
Proto6: Six protobuf.js Flaws Turn Trusted Schemas Into RCE and DoS Across gRPC, Cloud, and AI Stacks
Cyera's Proto6 research discloses six CVEs in protobuf.js, including a prototype-pollution-to-RCE chain, in a library pulled 50M+ times a week across gRPC, Google Cloud SDKs, vector databases, and CI/CD.
codexui-android: npm Package Silently Exfiltrated OpenAI Codex Auth Tokens for a Month
A 29K-weekly-download npm package advertised as a remote web UI for OpenAI Codex has been quietly exfiltrating ~/.codex/auth.json — including non-expiring refresh tokens — to a fake Sentry endpoint since v0.1.82.
Axios npm Hijacked: Compromised Maintainer Account Drops Cross-Platform RAT in 100M-Download Package
DPRK-linked UNC1069 compromised the axios npm maintainer's account and published two backdoored versions that deployed the WAVESHAPER.V2 RAT to macOS, Windows, and Linux — present in ~80% of cloud environments.