JFrog says six malicious npm packages used hidden install-time execution, JSONKeeper fetches, and sandbox checks to enable remote access.
An attacker exploited Hinkal, a DeFi privacy protocol, for roughly $820,000 in USDC on July 3, 2026, draining nearly all of the protocol’s total value locked. The stolen funds were converted to ETH ...