A mysterious, one-letter npm package named . A mysterious, one-letter npm package named "-" sitting on the registry since 2020 has received over 700,000 downloads.

The packages carry backdoors that first collect environment information and then delete entire application directories.

Two malicious NPM packages contain code that would delete production systems when triggered with the right credentials.

Malware-laced PyPI and npm packages steal developer credentials, CI/CD data, and crypto wallets. Attacks target macOS, AI ...

Use precise geolocation data and actively scan device characteristics for identification. This is done to store and access information on a device and to provide personalised ads and content, ad and ...

Popular NPM package "pac-resolver" has fixed a severe remote code execution (RCE) flaw. The pac-resolver package receives over 3 million weekly downloads, extending this vulnerability to Node.js ...

An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.

The Node Package Manager, NPM, has become a powerful and important tool, supporting many different JavaScript frameworks — including JQuery, AngularJS, and React JS. If you’re building ...

Researchers found malicious packages on the npm registry that, when installed, inject malicious code into legitimate npm packages already residing on developers’ machines.