Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign.

近期出现了一种复杂的恶意软件攻击活动，攻击者将会话式聊天机器人作为入侵企业系统的隐蔽入口。该攻击最早在2025年9月中旬被发现，主要针对基于大语言模型构建的面向客户的聊天应用。