On September 8, several popular npm packages were compromised after a successful phishing attack on a maintainer account.

The npm security team has removed today a malicious JavaScript library from the npm website that contained malicious code for opening backdoors on programmers' computers. The JavaScript library was ...

Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers.

Four packages containing highly obfuscated malicious Python and JavaScript code were discovered this week in the Node Package Manager (npm) repository. According to a report from Kaspersky, the ...

Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors. More than ...

A package called “aabquerys” has been spotted on the open-source JavaScript npm repository using typosquatting techniques to enable the download of malicious components. The findings come from ...

The lurking code-bombs lift Discord tokens from users of any applications that pulled the packages into their code bases. A series of malicious packages in the Node.js package manager (npm) code ...

Strangely named npm packages like -, @!-!/-, @(-.-)/env, and --hepl continue to exist on the internet's largest software registry. While not all of these may necessarily pose an obvious security risk, ...

The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers ...

A significant percentage of the 50,000 most-downloaded npm packages are deprecated or have a deprecated dependency but provide no warning. Security researchers warn that many npm packages are being ...