Dangerous npm packages are targeting developer credentials on Windows, Linux and Mac - here's what we know

Recently, security researchers Socket found 10 packages on npm targeting software developers, specifically those who use the ...

Popular JavaScript library expr-eval vulnerable to RCE flaw

A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be ...
Hackaday

PhantomRaven Attack Exploits NPM’s Unchecked HTTP URL Dependency Feature

Having another security threat emanating from Node.js’ Node Package Manager (NPM) feels like a weekly event at this point, ...

NPM flooded with malicious packages downloaded more than 86,000 times

Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection.

Malicious NPM packages fetch infostealer for Windows, Linux, macOS

Ten malicious packages mimicking legitimate software projects in the npm registry download an information-stealing component ...
Infosecurity Magazine

Npm Malware Uses Invisible Dependencies to Infect Dozens of Packages

The ongoing ‘PhantomRaven’ malicious campaign has infected 126 npm packages to date, representing 86,000 downloads ...

Claude Code trojan found in NPM

Supply chain security company Safety has discovered a trojan in NPM that masqueraded as Anthropic’s popular Claude Code AI ...
SecurityWeek

Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks

Software supply chain security firm JFrog has disclosed the details of a critical vulnerability affecting a popular React ...

No Chance for Token Theft: The Backend-for-Frontend Pattern

The Backend-for-Frontend pattern addresses security issues in Single-Page Applications by moving token management back to the ...
The Record

Malware found in npm package with millions of weekly downloads

A massively popular JavaScript library (npm package) was hacked today and modified with malicious code that downloaded and installed a password stealer and cryptocurrency miner on systems where the ...