Researchers continue to investigate a wave of malicious npm packages, with the published tally now reaching over 700. Last week, JFrog researchers disclosed the scheme in which an unknown threat actor ...

Inside these files—mainly the manifest (package.json) and index.js, there is nothing phenomenally interesting, just skeleton code. The manifest does pull in a bunch of development dependencies ...

The Node Package Manager, NPM, has become a powerful and important tool, supporting many different JavaScript frameworks — including JQuery, AngularJS, and React JS. If you’re building JavaScript ...

Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors. More than ...

Researchers found malicious packages on the npm registry that, when installed, inject malicious code into legitimate npm packages already residing on developers’ machines. Attackers who target ...

Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection. The finding, ...

Amazon researchers discovered more than 150,000 malicious packages in the NPM registry, in what they called "a defining moment in supply chain security." The packages were part of a token farming ...

A malicious campaign targeting developers through npm and GitHub repositories has been uncovered, featuring an unusual method of using Ethereum smart contracts to conceal command-and-control (C2) ...

npm has taken down all versions of the real Stylus library and replaced them with a "security holding" page, breaking pipelines and builds worldwide that rely on the package. A security placeholder ...