npm Staged Publishing: What Maintainers Should Change Now
npm CLI 11.15.0 adds staged publishing and new install-source controls. Here is what maintainers should enable, what CI should change, and what to check before the next package release.
News desk
Security incidents, exploited vulnerabilities, breach reports, malware campaigns, and urgent patch notes arranged for fast daily scanning.
July 15, 2026
npm CLI 11.15.0 adds staged publishing and new install-source controls. Here is what maintainers should enable, what CI should change, and what to check before the next package release.
CERT-UA says Ghostwriter used compromised accounts and fake Prometheus certificate lures to target Ukrainian government entities with OYSTERFRESH malware.
Check Point says Nimbus Manticore used SEO poisoning, fake software lures, and installer abuse to deploy the new MiniFast backdoor during regional conflict activity.
Europol says First VPN, a Russian-speaking cybercrime VPN, was dismantled in Operation Saffron after years of use by ransomware actors and fraud crews.
Langflow CVE-2025-34291 can turn a malicious webpage into account takeover and RCE through CORS, refresh-token handling, and code validation. Check versions, exposure, and session…
Trend Micro patched an Apex One on-prem directory traversal flaw after observing exploitation attempts. CISA added CVE-2026-34926 to KEV.
Microsoft says two Defender flaws have been exploited. CISA added both to KEV, making Defender engine and platform update checks urgent.
Drupal core CVE-2026-9082 is a highly critical PostgreSQL SQL injection flaw. Check affected branches, fixed versions, production database driver, logs, and post-patch review steps.
SonicWall CVE-2024-12802 can leave SSL-VPN MFA bypassable when firmware is patched but LDAP/AD settings are not completed. Check UPN/SAM login paths and VPN authentication…