NPM developer qix's account compromise potentially puts user funds at risk by compromising library dependencies used by bitcoin wallets. A major NPM developer, qix, has had their account compromised.
Days after IBM and Red Hat announced a master security plan for open-source software, Red Hat suffers a major breach of its ...
The campaign spans npm, Packagist, Go, and Chrome, using obfuscated JavaScript loaders and VS Code tasks to deliver malware.
JFrog says six malicious npm packages used hidden install-time execution, JSONKeeper fetches, and sandbox checks to enable remote access.
Pac-Resolver, a widely used NPM library, has received a patch to address a high-severity remote code execution (RCE) bug that could allow malicious actors to hijack a Node.js process via a corrupted ...
Microsoft says latest attack targets Leo Platform and RStreams packages, harvesting creds and going after more maintainers ...
The NPM JavaScript registry has experienced a jump in malware, including packages related to data theft, crypto mining, botnets, and remote code execution, according to security company WhiteSource.
With npm v12, GitHub closes a central attack vector: installation scripts from dependencies will only run after explicit approval from July 2026.
In a newly discovered supply chain attack, attackers last week targeted a range of npm-hosted JavaScript type testing utilities, several of which were successfully compromised to distribute malware.
TEL AVIV, Israel and BOSTON, Feb. 2, 202/PRNewswire/ --WhiteSource, a leader in open source security and management, today released a new threat report based on malicious activity found in npm, the ...