At the same time, security researchers Wiz released a separate announcement, saying the malicious versions were carrying infostealing malware, grabbing secrets such as GitHub and NPM tokens, SSH keys, ...

The popular Nx build system, boasting 4 million downloads each week, was exploited in the first supply chain breach to use AI assistants.

Whereas, the second flaw allows attackers to publish new versions of any existing npm package that they do not own or have rights to, due to improper authorization checks.

Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers.