Dark Reading

Npm Packages Vulnerable to Old-School Weapon: the 'Shift' Key

Since 2017, hackers have been able to mimic legitimate packages on Node Package Manager (npm) by simply removing the capital letters in their titles. According to newly published research from ...
Infosecurity-magazine.com

Manifest Confusion Threat Undermines Trust in Entire Npm Registry

Developers using the wildly popular npm registry to download JavaScript code may unwittingly be exposed to a range of cyber-threats because it fails to check the metadata of packages, it has emerged.
Dark Reading

Malicious npm Packages Scarf Up Discord Tokens, Credit Card Info

Four packages containing highly obfuscated malicious Python and JavaScript code were discovered this week in the Node Package Manager (npm) repository. According to a report from Kaspersky, the ...
Bleeping Computer

NPM supply-chain attack impacts hundreds of websites and apps

An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. As ...

npmx package browser released as alpha to fix pain of using npmjs

Project initiated by Nuxt lead Daniel Roe attracts wide support thanks to multiple issues with the official interface A new browser for the npm registry has launched in alpha, following grassroots ...
Bleeping Computer

NPM fixes private package names leak, serious authorization bug

The largest software registry of Node.js packages, npm, has disclosed multiple security flaws that were identified and remedied recently. The first flaw concerns leak of names of private npm packages ...
InfoWorld

NPM adds Workspaces for managing multiple packages

Workspaces support in the NPM CLI allow you to manage multiple packages from within a single top-level root package NPM 7.0.0, an upgrade to the JavaScript package manager, is due to be released with ...