A campaign of 148 npm packages disguised as student web
proxies turned visitors' browsers into a distributed
denial-of-service botnet for roughly two weeks in May, according to
new research from JFrog. The packages did not go after the
developers who might install them. The operators used the registry
as free hosting for a booby-trapped proxy site and let the students
who came to dodge
Read more https://thehackernews.com/2026/07/148-npm-packages-disguised-as-student.html

