Inside these files—mainly the manifest (package.json) and index.js, there is nothing phenomenally interesting, just skeleton code. The manifest does pull in a bunch of development dependencies ...
The CursedGrabber malware has infiltrated the open-source software code repository. Three malicious software packages have been published to npm, a code repository for JavaScript developers to share ...
On November 24, 2025, local time, HelixGuard, an open-source security research lab that conducts research on supply chain malware and vulnerabilities, discovered that over 1,000 components in the NPM ...
Researchers continue to investigate a wave of malicious npm packages, with the published tally now reaching over 700. Last week, JFrog researchers disclosed the scheme in which an unknown threat actor ...
Aikido Security Ltd. today disclosed what is being described as the largest npm supply chain compromise to date, after attackers injected malware into 18 popular packages that together account for ...
Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors. More than ...
Developers adept at multiple coding languages are tricked into installing a familiar-sounding package from within the Node Package Manager registry instead of the original source. Hackers are abusing ...
The security firm Socket warns of a campaign with malicious scripts in npm packages. The analysts have discovered 60 of these packages that contain an infostealer, which in turn spies on a machine ...
A significant percentage of the 50,000 most-downloaded npm packages are deprecated or have a deprecated dependency but provide no warning. Security researchers warn that many npm packages are being ...
Some results have been hidden because they may be inaccessible to you
Show inaccessible results
Feedback