Inside these files—mainly the manifest (package.json) and index.js, there is nothing phenomenally interesting, just skeleton code. The manifest does pull in a bunch of development dependencies ...

A package called “aabquerys” has been spotted on the open-source JavaScript npm repository using typosquatting techniques to enable the download of malicious components. The findings come from ...

Shai Hulud v2 infected 500+ npm packages (700+ versions) and spilled into Java/Maven — yikes. Compromised packages run a preinstall loader that downloads Bun and executes a 10MB obfuscated payload ...

The popular npm package "is" was infected with cross-platform malware, around the same time that linting utility packages used with the prettier code formatter were infected with Windows-only malware.

New malicious NPM packages have been discovered that install the njRAT remote access trojan that allows hackers to gain control over a computer. NPM is a JavaScript package manager that allows ...

Two code packages named "nodejs-encrypt-agent" in the popular npm JavaScript library and registry recently were discovered containing the open source information-stealing TurkoRat malware. Researchers ...

A recent surge in malicious activity involving North Korean-linked threat groups has been identified by cybersecurity researchers, revealing a coordinated campaign targeting the npm ecosystem. The ...

Researchers found malicious packages on the npm registry that, when installed, inject malicious code into legitimate npm packages already residing on developers’ machines. Attackers who target ...