npm tackles its riskiest security issues

With npm v12, GitHub closes a central attack vector: installation scripts from dependencies will only run after explicit ...
Bleeping Computer

52% of All JavaScript npm Packages Could Have Been Hacked via Weak Credentials

Tens of thousands of developers using weak credentials to secure their npm accounts inadvertently put more than half of the npm packages (JavaScript libraries and tools) at risk of getting hijacked ...
ZDNet

Npm team warns of new 'binary planting' bug

The team behind npm, the biggest package manager for JavaScript libraries, has issued a security alert yesterday, advising all users to update to the latest version (6.13.4) to prevent "binary ...
Bleeping Computer

Botched npm Update Crashes Linux Systems, Forces Users to Reinstall

A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot. Changing ownership of these ...

Red Hat hit by npm supply‑chain attack - here's how to stay safe

Red Hat hit by npm supply‑chain attack - here's how to stay safe ...
Threat Post

Thousands of Malicious npm Packages Threaten Web Apps

Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors. More than ...
CSOonline

Npm ecosystem vulnerable to new manifest confusion attack

Package manifests in the npm registry are not validated against metadata files in the package itself, leaving the door open for attackers. The npm (Node Package Manager) ecosystem of JavaScript ...