18 Popular npm Packages Compromised in Attack
Aikido Security detected a series of packages being pushed to npm that appeared to contain malicious code, according to a post by Charlie Eriksen, a security researcher with the firm.
These were 18 popular packages with more than 2 billion downloads per week, according to Eriksen.
“The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user,” Erikson stated.
He lists all the infected packages, but the more popular targets were:
- color-name with 191.71m downloads per week;
- color-convert with 193.5m downloads per week;
- wrap-ansi with 197.99m downloads per week;
- ansi-regex with 243.64m downloads per week;
- supports-color with 287.1m downloads per week;
- strip-ansi with 261.17m downloads per week;
- chalk with 299.99m downloads per week;
- debug with 357.6m downloads per week;
- ansi-styles with 371.41m downloads per week;
He explains how the malware works in detail in the post, but writes that it’s essentially a browser-based interceptor that hijacks both network traffic and application APIs.
Apple Wants Accessibility Nutrition Labels on Apps
Apple is about to roll out “Accessibility Nutrition Labels” on apps to help users determine how accessible the app is before downloading it.
“The labels appear on the app product page and will help users understand if they can use a feature like VoiceOver or Larger Text to complete common tasks in the app,” the documentation states.
The labels will be voluntary at the beginning, to give developers a chance to prepare and evaluate their offering.
“You’ll be given ample time and evaluation resources before this is mandatory, but over time, you’ll be required to share accessibility support details to submit new apps and app updates to the App Store,” the documentation states.
It will include information about accessibility features such as:
- VoiceOver, which allows users to navigate an app using gestures, keyboard, braille and speech output.
- Voice Control, which enables user to navigate an app using their voice to tap, swipe, click, type, etc. This feature is not supported on Apple TV and Apple Watch.
- Larger Text, which increases the text size in the app to 200% or more. This accessibility feature isn’t supported on Mac and Apple TV.
- Dark Interface
- Differentiate without Color Alone, which uses shapes and text in addition or instead of color to distinguish key information.
- Sufficient Contrast, which adjusts the contrast between text or iconography and background.
- Reduced Motion, which modifies or reduces certain types of animation that may cause motion sickness or discomfort.
- Captions
- Audio Descriptions, which enables users to hear audio descriptions of video content in a clip, show, or movie with time-synchronized narration.
The Accessibility Nutrition Labels will appear on Apple devices running iOS 26, iPadOS 26, macOS 26, tvOS 26, visionOS 26, and watchOS 26 or later.
Beginning this fall, users will be able to include Accessibility Nutrition Label features as part of their search query to make their results more relevant.
“The common guiding principles of accessibility are that content, controls, and interfaces should be perceivable, operable, understandable, and robust,” Apple’s documentation states. “Keep these principles in mind as you’re evaluating your app.”
Accessibility specialist Geri Reid provided a walk-through of the Accessibility Nutrition Labels requirements, including how to audit your app in preparation for the change.
Kotlin Releases Beta of Kotlin/Wasm
Kotlin released version 2.2.0 on Wednesday, with a beta release of Kotlin/Wasm. The beta support of Wasm offers “greater stability along with improvements such as separated npm dependencies, refined exception handling for JavaScript interop and built-in browser debugging support,” the release notes state.
Previously, Kotlin Multiplatform didn’t include a shared source set for JavaScript (js) and WebAssembly (wasmJs) web targets by default. Now, Kotlin adds a new shared source set for JavaScript and WebAssembly targets.
“Starting with this release, the Kotlin Gradle plugin adds a new shared source set for web (comprising webMain and webTest) when you use the default hierarchy template,” the release notes state. “With this change, the web source set becomes a parent of both js and wasmJs source sets.”
This version also offers improved exception handling in Kotlin/Wasm and JavaScript interop. The update also makes Swift export available by default in Kotlin Multiplatform. That should simplify code sharing and enhance the developer experience. Finally, it incorporates better exception handling, npm dependency management and built-in browser debugging.
Digital Ocean Supports Kubernetes Gateway API
DigitalOcean now supports the Kubernetes Gateway API as a managed service. It comes pre-installed in all of DigitalOcean’s Kubernetes clusters at no extra cost.
The Gateway API provides a more advanced and flexible traffic management solution than the traditional Ingress API, which manages external access to services within a cluster.
Senior Product Manager Kang Xie explained in a blog post that there are a number of benefits this creates, including:
- Zero configuration required because the Gateway API support comes pre-installed via Cilium in all DigitalOcean Kubernetes clusters;
- Advanced traffic management via support for header-based routing, traffic splitting and canary deployments;
- Superior performance due to Cilium’s eBPF implementation operating in the kernel space, eliminating proxy overhead;
- Native load balancer integration;
- Multitenant readiness with built-in support for cross-namespace resource sharing with secure RBAC; and
- A future-proof API that supports active development and standardization by the Kubernetes community.
The service is powered by Cilium’s eBPF implementation, which processes traffic directly in the Linux kernel for better performance.
