JFrog finds 148 npm proxy packages turned student browsers into a DDoS botnet, while a mutable loader lets operators re-arm it without updates.

JFrog finds 148 npm proxy packages turned student browsers into a DDoS botnet, while a mutable loader lets operators re-arm it without updates.

Four compromised AsyncAPI npm packages load a multi-stage botnet from IPFS after attackers abuse GitHub Actions, despite valid provenance attestations