Kodem Security Research Team

LinkedIn

Blogs by Kodem Security Research Team

Mastra npm Packages Compromised: easy-day-js Supply Chain Attack

On June 17, 2026, attackers republished 13 @mastra npm packages with a malicious easy-day-js dropper that steals secrets. Get the IOCs, timeline, and first-hour runbook.

CVE-2026-9277 shell-quote Command Injection

CVE-2026-9277 is a shell-quote command injection flaw in npm versions 1.1.0 through 1.8.3. See how the quote() bypass works, what to hunt, and the 1.8.4 fix.

TanStack OpenAI Supply Chain Attack: Mini Shai-Hulud, IOCs, and First-Hour Response Runbook

The TanStack OpenAI supply chain attack delivered Mini Shai-Hulud through trusted npm publishing. Get the IOCs, affected packages, and first-hour runbook.