// #package-manager
3 articles
Miasma / Shai Hulud Supply Chain Campaign: 100+ npm and PyPI Packages Compromised Including Red Hat Namespace
Security researchers have attributed a coordinated software supply chain attack to a threat cluster tracked as Miasma (also Shai Hulud), which compromised over 100 packages across npm and PyPI by stealing publisher credentials and injecting malicious code. The campaign reached the official Red Hat npm namespace, exposing organisations that rely on internal package mirror strategies as a security control.
pnpm 11 Defaults to 24-Hour Package Age Minimum — Blocking Automated Post-Publish Supply Chain Attacks
pnpm 11, released this week, introduces a package quarantine feature that by default blocks installation of any npm package published within the past 24 hours. The control targets the automated post-publish compromise pattern used by TeamPCP, CanisterSprawl, and similar supply chain threat actors who publish malicious package versions and immediately trigger mass installation before defenders can respond. It is the most substantive supply-chain-defensive default configuration added to a package manager since npm's provenance attestation.
Official SAP npm Packages Compromised to Steal Enterprise Developer Credentials
Threat actors compromised official SAP npm packages to insert credential-harvesting code targeting enterprise developers working on SAP integration projects. The malicious packages exfiltrate environment variables, SSH keys, and cloud credentials from developer workstations. Enterprise teams using SAP npm packages in their CI/CD pipelines should audit package integrity and rotate potentially exposed credentials.