<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Npm on CybersecurityOS</title><link>http://www.cybersecurityos.net/tags/npm/</link><description>Recent content in Npm on CybersecurityOS</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Sun, 12 Jul 2026 18:53:29 -0500</lastBuildDate><atom:link href="http://www.cybersecurityos.net/tags/npm/index.xml" rel="self" type="application/rss+xml"/><item><title>OS Weekly: A Poisoned npm Package, CISA's Patch Deadline &amp; AI's Double Edge</title><link>http://www.cybersecurityos.net/posts/os-weekly/os-weekly-2026-07-12/</link><pubDate>Sun, 12 Jul 2026 00:00:00 +0000</pubDate><guid>http://www.cybersecurityos.net/posts/os-weekly/os-weekly-2026-07-12/</guid><description>&lt;p&gt;The software supply chain stayed the softest target in the room this week: a poisoned npm package was quietly dropping an infostealer on developer machines within minutes of publishing. CISA gave federal agencies a hard deadline on an actively exploited AI-framework flaw, and two separate pieces this week wrestled with the same question from opposite directions — is AI tipping the scales toward attackers or defenders? Here&amp;rsquo;s the rundown.&lt;/p&gt;
&lt;h2 id="critical-threats--active-exploits"&gt;Critical Threats &amp;amp; Active Exploits&lt;/h2&gt;
&lt;h3 id="a-compromised-npm-package-was-dropping-an-infostealer-within-six-minutes-of-publishing"&gt;A compromised npm package was dropping an infostealer within six minutes of publishing&lt;/h3&gt;
&lt;p&gt;&lt;img src="https://www.dropbox.com/scl/fi/zmib48m9lfuvpvmzm5t6m/Compromised-npm-release-of-jscrambler-8.14.0-drops-Rust-infostealer..png?rlkey=x680ut34rdqat63dsj1kumatb&amp;amp;raw=1" alt="Illustration representing the compromised jscrambler npm package supply-chain attack"&gt;&lt;/p&gt;</description></item></channel></rss>