本文介绍了如何为npm包打补丁，以hexo-minify包为例。由于npm包维护滞后，提供了两种常用且有效的补丁方法，帮助开发者解决问题。

绿盟科技CERT监测到axios的npm仓库遭受供应链攻击，攻击者发布了带有木马的恶意版本，影响了axios 1.14.1和0.30.4。建议用户立即降级并清除恶意依赖，同时建立安全审计机制以防范此类威胁。

TanStack has released a detailed postmortem describing a sophisticated supply-chain attack that compromised 42 npm packages and published 84 malicious package versions in just six minutes,...

OX安全团队发现黑客利用开源蠕虫病毒Shai-Hulud发起攻击，NPM注册表中出现4个恶意包，其中一个直接克隆了该病毒。黑客仅修改了C2服务器，降低了攻击难度。这些恶意包主要用于窃取开发者的敏感凭证，未来可能导致更多类似攻击。

微软已删除黑客团队TeamPCP发布的针对NPM生态系统的蠕虫病毒Shai-Hulud的开源库，并封禁相关账号。尽管采取了措施，源代码仍在网上流传，黑客仍可获取并使用。

TanStack系列工具包遭到供应链攻击，黑客发布了84个恶意NPM包，可能窃取开发者的敏感凭据。TanStack已弃用受影响版本，并清理了GitHub Actions缓存，建议开发者立即进行排查。

npmx is an open-source package browser for the npm registry, developed by Daniel Roe and over 250 contributors. It emphasizes speed and features absent in the official npmjs.com interface, such as...

Anthropic's Claude Code CLI had its full TypeScript source exposed after a source map file was accidentally included in version 2.1.88 of its npm package. The 512,000-line codebase was archived to...

On March 31, 2026, two versions of the Axios library were compromised and found to contain a Remote Access Trojan. The malicious packages were published through a hijacked maintainer account. The...

OpenClaw AI 机器人项目受到 Axios 供应链攻击，用户需立即检查系统并更换密钥以确保安全。黑客通过恶意版本劫持 NPM 账号。