New supply-chain attack making the rounds: a popular npm package got a malicious post-install that exfiltrated env vars to a webhook. Maintainer account had no 2FA. Lock your dependencies, pin your hashes, audit your post-install scripts. #programming #technology

Jun 24, 2026, 10:24 PM