A mysterious, one-letter npm package named . A mysterious, one-letter npm package named "-" sitting on the registry since 2020 has received over 700,000 downloads.

Most JavaScript developers are familiar with the npm package manager, which was originally developed by Isaac Schlueter. What many probably don’t know is that npm is also a company co-founded by ...

An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.

Workspaces support in the NPM CLI allow you to manage multiple packages from within a single top-level root package NPM 7.0.0, an upgrade to the JavaScript package manager, is due to be released ...

The npm security team has removed today a malicious JavaScript library from the npm website that contained malicious code for opening backdoors on programmers' computers. The JavaScript library ...

Packages that display ads at runtime, on installation, or at other stages of the software development lifecycle, such as via npm scripts. Packages with code that can be used to display ads are fine.

npm (originally short for Node Package Manager, or NPM) is the default package manager for the JavaScript runtime environment Node.js, which is built on Chrome’s V8 JavaScript engine.

Synk is tracking the incidents with the peacenotwar and oneday-test npm modules as SNYK-JS-PEACENOTWAR-2426724, with a low criticality rating of 3.7, given that attack complexity is high.

Security researchers have uncovered two new malicious packages on the npm open source package manager that utilized GitHub to store stolen Base64-encrypted SSH keys taken from developer systems. These ...

Cybersecurity researchers Socket have warned of multiple malicious packages hosted on NPM, stealing sensitive user data and relaying it to the attackers. In a blog post, Socket said it identified ...