A mysterious, one-letter npm package named . A mysterious, one-letter npm package named "-" sitting on the registry since 2020 has received over 700,000 downloads.

An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.

Most JavaScript developers are familiar with the npm package manager, which was originally developed by Isaac Schlueter. What many probably don’t know is that npm is also a company co-founded by ...

Workspaces support in the NPM CLI allow you to manage multiple packages from within a single top-level root package NPM 7.0.0, an upgrade to the JavaScript package manager, is due to be released ...

The npm security team has removed today a malicious JavaScript library from the npm website that contained malicious code for opening backdoors on programmers' computers. The JavaScript library ...

Synk is tracking the incidents with the peacenotwar and oneday-test npm modules as SNYK-JS-PEACENOTWAR-2426724, with a low criticality rating of 3.7, given that attack complexity is high.

News. Sonatype Finds 'Typosquatting' Packages in npm. By John K. Waters; October 1, 2020; Researchers at Sonatype, a leader in the DevSecOps and repository management space, discovered and confirmed ...

Security researchers have uncovered two new malicious packages on the npm open source package manager that utilized GitHub to store stolen Base64-encrypted SSH keys taken from developer systems. These ...

Packages that display ads at runtime, on installation, or at other stages of the software development lifecycle, such as via npm scripts. Packages with code that can be used to display ads are fine.