Click any tag below to further narrow down your results
Links
Over the past 15 months a series of high-profile backdoors, worms and trojans have compromised thousands of npm, PyPI and other open-source packages, exposing millions of downstream projects to remote access, data wiping and credential theft. The article traces incidents from the xz-utils backdoor to self-propagating npm worms, explains how deep dependency trees magnify risk, and outlines immediate steps—pinning versions, auditing dependencies and funding maintainers—to stem the threat.
The article discusses a recent supply chain attack involving the popular Axios package, highlighting how an attacker installed malware without altering the original code. It emphasizes the challenges posed by AI in both coding and attacking, as automated systems can easily introduce vulnerabilities faster than traditional security measures can respond.
A typosquatted npm package named “@acitons/artifact” impersonated the legitimate “@actions/artifact” to exploit GitHub's CI/CD workflows. It stole tokens from build environments and published malicious artifacts, highlighting vulnerabilities in supply chain security.
Remend is a new NPM package that fixes incomplete Markdown syntax during streaming. It automatically detects and completes unterminated Markdown blocks, ensuring proper rendering and layout. This tool can be integrated with any Markdown renderer, enhancing the user experience in real-time applications.
Socket has launched a Threat Intel page that tracks ongoing supply chain attack campaigns affecting open-source packages. The new feature helps teams quickly determine if they are impacted by these coordinated attacks and provides context for affected packages.
This article explains how to use the npmgraph tool to analyze npm modules and their dependencies. You can input a single module name, multiple versioned names, or a URL to a package.json file to visualize relationships between packages. It's a handy resource for developers looking to understand their project's dependencies better.
This article discusses key AI development tools and models as of February 2026. It also covers how to use Publint for validating npm packages and offers tips on optimizing React performance. Lastly, it invites readers to join LogRocket's developer community.
The article discusses a method for securely managing package releases using a "valet key" approach. It outlines how to grant limited access to release tokens while ensuring a clear approval process and full audit trails, ultimately reducing the risk of supply-chain attacks.
This article outlines key security measures for npm maintainers in response to recent attacks, including the Shai-Hulud incident. It emphasizes using trusted publishing, enforcing two-factor authentication, and adopting WebAuthn for better account protection. These steps aim to strengthen the overall security of the npm ecosystem.
spoilerjs is a web component for hiding spoiler text that reveals itself with a particle effect when clicked. It’s easy to implement with no dependencies and works in any modern browser. You can customize the appearance and behavior of the spoiler using various attributes.
A coordinated effort has released over 67,000 fake npm packages since early 2024, aimed at flooding the registry rather than stealing data. The malicious packages use JavaScript scripts that require manual execution to propagate, creating a self-replicating network that burdens the platform. Researchers link this activity to a monetization scheme involving TEA tokens.
npm is implementing a staged publishing model to add a review step before packages go live, following a series of supply chain attacks in 2025. This change aims to give maintainers a chance to catch malicious or unintended changes before they are published. The new process requires multi-factor authentication for approval during the staging period.
safe-npm is a tool that helps protect projects from compromised npm packages by only allowing the installation of versions that are at least 90 days old. This approach provides time for the security community to identify and address malicious updates. It offers various features for managing dependencies while prioritizing safety.
This tool, called "undelete," allows users to recover packages removed from NPM and PyPI by querying secondary mirrors that might still have cached versions. It also retrieves package metadata, which is helpful for security researchers investigating malicious deletions. The command-line utility requires Node.js 14 or higher.
Researchers found that open source packages on npm and PyPI were infected with malware that stole wallet credentials from dYdX developers and users. The malicious code captured seed phrases and device fingerprints, leading to potential irreversible theft of cryptocurrency. The attack affected multiple versions of the compromised packages.
This article details a significant npm supply chain attack that compromised an engineer's credentials, allowing unauthorized access to multiple repositories. The attacker cloned 669 repositories and closed numerous pull requests before being detected and removed from the GitHub organization. Thankfully, published packages remained secure throughout the incident.
This article outlines how to manage the recent change in NPM's token policy, which limits token validity to 90 days. It introduces a tool called github-update-secret that automates the process of updating access tokens across multiple GitHub repositories. While the long-term solution is to adopt OIDC, this tool provides a temporary fix.
The article details a sophisticated malware operation by North Korean threat actors using npm packages to deliver malicious code. It explains how they utilize GitHub and Vercel to manage and deploy payloads, highlighting various tactics for data theft, including clipboard access, keylogging, and file exfiltration.
This article explains the emoji-regex library, which provides a reliable regex for matching all emoji and their sequences according to the Unicode Standard. It allows easy updates with new emoji and is suitable for deterministic matching, especially for image replacement scenarios. A lighter alternative, emoji-regex-xs, is also available for less strict needs.
This article introduces npmx, a new browser designed specifically for navigating the npm registry. It invites users to collaborate, ask questions, and share feedback to improve the npm experience. You'll also find updates and news about npmx.
A serious security vulnerability in the "@react-native-community/cli" npm package allowed attackers to execute arbitrary OS commands on development servers. The flaw, tracked as CVE-2025-11953, was patched in version 20.0.0 after being discovered by JFrog's security team. Developers using affected versions are at risk if they run the Metro development server.
This article details how ten malicious npm packages use typosquatting techniques to execute credential harvesting malware on developers' systems. It describes the multi-stage process, including automatic execution, IP tracking, and extensive data extraction methods targeting various operating systems.
On November 24, 2025, over 1,000 NPM packages were compromised using a fake Bun runtime, leading to the infection of more than 27,000 GitHub repositories. The malicious code steals sensitive information and exfiltrates it via a GitHub Action runner. This incident appears to be linked to a previous attack identified as "Shai-Hulud."
Researchers found a malicious npm package named eslint-plugin-unicorn-ts-2 that attempts to deceive AI security scanners. It contains a hidden prompt and exfiltrates sensitive data during installation, highlighting a new tactic in cybercrime where attackers manipulate AI to avoid detection.
This article outlines recent npm security breaches and provides a checklist for securing npm publish workflows. It emphasizes the importance of using granular npm tokens, 2FA, and trusted publishers to minimize risks from compromised credentials.
North Korean hackers behind the Contagious Interview campaign have added 197 new malicious packages to the npm registry, totaling over 31,000 downloads. These packages deliver a variant of the OtterCookie malware, which can capture sensitive information and establish remote access to infected machines. The campaign exploits fake job applications to trick users into installing the malware.
The lotusbail npm package masquerades as a legitimate WhatsApp API library but contains sophisticated malware that steals user credentials, messages, and contacts. It captures data by intercepting communications and uses custom encryption to evade detection. Even after uninstalling the package, attackers retain access to compromised accounts.
Transformers.js v4 is now available on NPM, making installation easier. The new version features a rewritten WebGPU runtime for improved performance and offline support, along with a modular structure and a separate tokenizers library for better usability.
Clipboardy is a Node.js library for copying and pasting text and images across various platforms, including macOS, Windows, and Linux. It provides both asynchronous and synchronous methods to interact with the system clipboard. Note that image handling is limited to macOS, and certain operations may not work in headless environments.
Security flaws in npm's defenses against supply-chain attacks allow hackers to bypass protections through Git dependencies. Although other package managers have patched their vulnerabilities, npm rejected a vulnerability report from Koi Security, claiming users must vet package content themselves.
The jsonrepair library is designed to repair invalid JSON documents by fixing common issues such as missing quotes, commas, and brackets, as well as handling special characters and formats. It supports both function and streaming API usage, making it suitable for various applications, including Node.js and command-line operations. The library can also process large documents efficiently and is available for installation via npm.
The article discusses a recent supply chain attack targeting the npm ecosystem, which compromised the Shai Hulud package. It highlights the implications of such attacks on software security, emphasizing the need for vigilance in managing dependencies and securing the software supply chain.
npq is a tool designed to audit npm packages before installation, enhancing security by checking for vulnerabilities, package age, download counts, and other criteria. It integrates seamlessly with npm and can be used with other package managers by specifying environment variables, thus ensuring a safer installation process for developers. However, it is important to note that no tool can guarantee absolute safety from malicious packages.
Malicious npm packages are utilizing the Ethereum blockchain to facilitate malware delivery, raising concerns about the security of the JavaScript package ecosystem. These packages exploit vulnerabilities to deliver harmful code, leveraging blockchain technologies to obfuscate their operations and evade detection. Developers are urged to exercise caution and implement protective measures against such threats.
The article discusses a major npm supply chain hack affecting the eslint-config-prettier package, highlighting the risks associated with third-party dependencies in software development. It emphasizes the importance of securing package management ecosystems to prevent similar vulnerabilities in the future.
Managing dependencies in a React application requires careful attention to both direct and transitive dependencies to avoid unnecessary complexity and bloating. Techniques such as reading dependency source code, utilizing tools like Renovate and Knip, and analyzing package sizes are essential for maintaining a clean and efficient project. Ultimately, understanding the ecosystem and making informed choices can lead to better dependency management and reduced technical debt.
UNPKG is a global content delivery network that allows users to quickly load files from npm packages via a simple URL format. The repository includes four packages for the web app and file server backend, and details the steps for setting up a development environment and deploying the application on services like Fly.io and Cloudflare. Users are guided through installing dependencies, running tests, and deploying the backend and workers.
The author explores which npm package has the largest version number, ultimately finding that the package "latentflip-test" claims an enormous version of 1000000000000000000.1000000000000000000. However, after filtering for packages that genuinely follow semantic versioning, the real winner is "all-the-package-names" with a version of 1.3905.0, highlighting the quirks of npm versioning practices. The article also details the process of fetching and analyzing package data using the npm API.
A malicious update in the npm package postmark-mcp introduced a backdoor that silently exfiltrates emails from users to an external server, highlighting severe vulnerabilities in the trust model of MCP servers used by AI assistants. With over 1,500 weekly downloads, developers unknowingly handed over complete email control to a compromised tool, raising alarms about the security of tools integrated into enterprise workflows. Immediate action is required to remove the malicious package and audit other MCP servers for similar risks.
A recent supply chain attack has compromised several npm packages, allowing the distribution of backdoor malware. This incident highlights vulnerabilities in the software supply chain, emphasizing the need for enhanced security measures in package management systems.
A sophisticated npm attack employs over seven layers of obfuscation to distribute the Pulsar Remote Administration Tool (RAT). The obfuscation techniques include the use of Japanese Unicode characters, hexadecimal encoding, array shuffling, binary array encoding, and even image steganography to conceal malicious code within a PNG image. The malicious npm package remains publicly available, highlighting ongoing cybersecurity risks.
Pastoralist is a command-line tool designed to automate the tracking and management of security dependency issues in npm projects, including overrides and resolutions. It helps developers manage dependency versions, detect security vulnerabilities, and clean up unneeded overrides, ultimately simplifying package management in both monorepo and single-package scenarios. The tool provides various commands for scanning, fixing vulnerabilities, and maintaining an organized appendix of dependency information.
A report has revealed that 40 npm packages have been compromised as part of a supply chain attack, exposing vulnerabilities that could potentially affect thousands of projects. The malicious packages were designed to steal sensitive data and create backdoors for attackers, highlighting the ongoing risks in open-source software ecosystems. Developers are urged to review their dependencies and ensure they are not using affected packages.
The NPM package manager inadvertently removed the Stylus package, leading to widespread disruptions in numerous builds and pipelines across various projects. This incident highlights the vulnerabilities in dependency management systems and the potential impact of package removals on development workflows. Developers are advised to monitor their dependencies closely to mitigate such issues in the future.
A recent NPM supply chain attack involving a self-propagating worm called Shai-Hulud has highlighted the vulnerability of package registries like NPM. Sysdig's Threat Intelligence Feed offers real-time insights into these threats, enabling organizations to quickly assess their exposure and respond effectively. By monitoring malicious NPM packages, Sysdig aids security teams in identifying risks and taking action promptly.
NPMGraph is a tool designed for exploring npm modules and their dependencies, accessible online. It offers various configuration options through URL parameters to customize the visual representation of module graphs, including features like module colorization and dependency inclusion. Additionally, users can run NPMGraph locally by cloning its repository from GitHub.
JSON Query Language is a lightweight and expandable library for querying JSON data, featuring over 50 functions and operators. It supports both text and JSON query formats, allows the creation of custom functions and operators, and provides error handling with detailed insights. Users can install it via npm for use in JavaScript and Python applications.
Researchers discovered 60 malicious packages on NPM designed to collect sensitive host and network information, sending it to a Discord webhook. These packages, which were uploaded under misleading names, posed a significant risk for targeted network attacks, and although reported, some remained available for download at the time of writing. Additionally, another campaign involved eight typosquatting packages capable of deleting files and corrupting data, which had been present on NPM for two years.
Researchers from Safety have discovered infostealer malware targeting Russian cryptocurrency developers through npm packages designed to appear legitimate. These malicious packages, which aim to extract sensitive information such as cryptocurrency credentials, are linked to servers in the USA, raising suspicions of state-sponsored activity against Russia's ransomware operators. Developers in the Solana ecosystem are advised to secure their software supply chains to mitigate these threats.
The article discusses the vulnerabilities in the npm supply chain and emphasizes the importance of securing software dependencies. It highlights insights from industry expert Brian Fox on how to mitigate risks associated with open-source components. The piece advocates for better practices and tools to enhance security in software development.
GitHub outlines its strategy to enhance the security of the npm supply chain, focusing on improving the safety of open-source software dependencies. The plan includes implementing better verification processes and tools to mitigate risks associated with malicious packages and vulnerabilities.
A critical security alert was issued regarding 18 widely-used npm packages that were compromised to include malicious code, which secretly intercepted crypto and web3 activities in users' browsers. The affected packages, including popular ones like "chalk" and "debug," collectively accounted for over 2 billion downloads weekly. Users are advised to utilize Aikido's safe-chain to avoid such vulnerabilities.
qnm is a command-line utility designed to simplify the process of querying the node_modules directory, providing quick access to module versions and their dependencies. It features interactive fuzzy search, supports both npm and yarn, and offers insights into module installations and duplications. Additionally, it allows users to fetch remote data and view package details directly from the terminal.
The article discusses the escalating risks associated with NPM supply chain attacks, highlighting Microsoft's role as a "bad actor" in software security. It reflects on past incidents and emphasizes the need for better security measures in the software ecosystem to prevent exploitation by malicious actors.
Recent updates to Node.js have integrated many features that previously required third-party npm packages, enhancing security, reducing dependency bloat, and simplifying application maintenance. Notable replacements include global functions like fetch() and WebSocket, as well as built-in testing and database functionalities. This evolution encourages developers to leverage core capabilities while considering tools like N|Solid for monitoring and optimization.
An npm package called 'rand-user-agent' was compromised in a supply chain attack, leading to the injection of a remote access trojan (RAT) in unauthorized versions. Despite being deprecated, the package had a significant number of downloads, and users are advised to revert to the last legitimate version and conduct full system scans if they installed the malicious updates. The attack was traced back to an outdated automation token that allowed the unauthorized releases.
A TypeScript framework for WhatsApp's Official API allows developers to create a WhatsApp bot by utilizing npm to install the module. It covers the setup process for obtaining API tokens, webhook configuration, and provides sample code for handling different message types and responses. Additional resources include documentation for various environments and contribution guidelines for enhancing the library.
The npm author Qix was targeted in a significant supply chain attack through a phishing email that spoofed npm branding, tricking the author into compromising their account. Malicious code was introduced into several packages, redirecting cryptocurrency transactions to the attacker's addresses, highlighting the persistent threat of phishing in the open-source ecosystem.
Over 500 NPM packages were compromised by a self-replicating worm called Shai-Hulud, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert for developers to secure their credentials and review dependencies. GitHub is implementing stricter authentication and security measures to prevent future attacks.
Multiple DuckDB-related npm packages were compromised, including duckdb and its associated modules, which contained malicious code aimed at draining crypto wallets. The attack mirrors previous incidents of phishing in the npm ecosystem, leading to the vendor marking the latest release as deprecated and issuing an advisory on GitHub.
Two malicious npm packages, 'express-api-sync' and 'system-health-sync-api,' have been found to act as data wipers that delete entire application directories instead of functioning as advertised utilities. These packages, which have been removed from npm, contained backdoors that allowed attackers to execute destructive commands remotely, raising concerns about potential sabotage or state-level disruptions in the software ecosystem.
The article explores how the massive growth of npm packages, which have reached over a billion downloads, has significantly influenced the JavaScript ecosystem. It discusses the implications of this growth for developers, including the reliance on external packages and the evolving nature of software development practices. The piece highlights both the benefits and challenges associated with this trend in package management.
The article discusses the various risks associated with using npm (Node Package Manager) for managing JavaScript packages, including issues related to security vulnerabilities, dependency management, and the impact of unmaintained packages. It emphasizes the importance of being vigilant and proactive in assessing the risks that come with third-party dependencies in software development.
The article discusses the discovery of backdoors in various Python npm packages, highlighting the security risks posed to both Windows and Linux systems. It emphasizes the need for developers and users to be vigilant when using third-party packages, as malicious code can lead to significant vulnerabilities.
The repository consolidates best practices for securing NPM, bun, deno, pnpm, and yarn environments against common vulnerabilities such as supply-chain attacks and malware. It emphasizes the importance of controlling dependency versions, using configuration options to enhance security, and leveraging built-in permission models to safeguard applications during runtime. Additionally, it provides guidance on tools and techniques for auditing and managing packages effectively.
The article discusses how Cloudflare's client-side security, particularly its Page Shield feature, effectively mitigated the risks posed by a recent npm supply chain attack where malicious code was injected into popular JavaScript packages. The advanced machine learning algorithms employed by Cloudflare allowed for rapid detection and prevention of potential crypto theft, ensuring the safety of users' applications against such vulnerabilities.