Npm

The Agent Skills open standard just got a significant new toolkit. Felo Skills launched today as an open-source npm package that plugs real-time search, slide generation, web content extraction, social listening, and knowledge base capabilities directly into Claude Code, OpenClaw, Gemini CLI, and other coding agents — in a single install. If you’ve wished your AI coding agent could search the web in real time, pull structured content from any URL, or generate a slide deck from a prompt without leaving your workflow, this is the package you’ve been waiting for. ...

One of the most widely-used JavaScript libraries in the world was silently backdoored today. Axios — the HTTP client with over 83 million weekly downloads — had two of its npm versions compromised in an active supply chain attack. And if you’re running OpenClaw 3.28 with the Slack plugin enabled, you need to act now. What Happened On March 31, 2026, attackers gained access to the npm credentials of Axios’s primary maintainer (“jasonsaayman”) and published two malicious versions: 1.14.1 and 0.30.4. Both versions inject a fake dependency called [email protected] that functions as a cross-platform Remote Access Trojan (RAT) dropper. ...

It happened again — and this time the exposure was massive. On March 31, 2026, security researcher Chaofan Shou (@shoucccc) discovered that Anthropic’s Claude Code CLI had inadvertently published its entire source code inside a 60MB source map file (cli.js.map) bundled within its npm package. Within hours, the community had mirrored the code, opened GitHub repos cataloguing the exposure, and the story had broken across cybersecurity news outlets worldwide. This is reportedly the second time in a year that Claude Code’s source has leaked through the same vector. ...

Today’s Claude Code source leak was a good reminder that shipping to npm is a security surface area that many developers don’t audit carefully enough. A 60MB .map file contained Anthropic’s entire CLI source. This guide shows you how to prevent the same thing from happening to your own packages. Why Source Maps Are the Hidden Risk Source maps (.js.map files) are generated by build tools like webpack, esbuild, Rollup, and Parcel to help with debugging. They map your compiled, minified output back to the original source. In development and CI, this is exactly what you want. ...

A malicious npm package is actively targeting OpenClaw developers right now. Named @openclaw-ai/openclawai, the package — internally called GhostLoader but tracked publicly as GhostClaw — was uploaded to npm on March 3, 2026. Security researchers at JFrog confirmed it was still live as of March 8. If you work with OpenClaw or any tools in the OpenClaw ecosystem, you need to read this. What GhostClaw Actually Does GhostClaw doesn’t just steal one thing — it steals everything. Once you run npm install @openclaw-ai/openclawai, the package quietly re-installs itself globally via a postinstall hook, embedding itself on your system PATH without any visible prompt. ...