Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors.

The popular Nx build system, boasting 4 million downloads each week, was exploited in the first supply chain breach to use AI ...

Attacks on the NX build system and React packages highlight escalating threats to enterprise software development pipelines.

Microsoft said its Visual Studio Code 1.7 release overloaded the npmjs.org JavaScript package management service for Node.js, forcing a version rollback to 1.6.1.

Developers using the wildly popular npm registry to download JavaScript code may unwittingly be exposed to a range of cyber-threats because it fails to check the metadata of packages, it has emerged.

The NPM JavaScript registry has experienced a jump in malware, including packages related to data theft, crypto mining, botnets, and remote code execution, according to security company WhiteSource.

Microsoft is acquiring npm, a major JavaScript-developer platform, which it is planning to integrate with GitHub.