NPM, the Node Package Manager, hosts millions of packages and serves billions of downloads annually. It has served well over the years but has its shortcomings, including with TypeScript build ...

Half a dozen vulnerabilities in the JavaScript ecosystem’s leading package managers — including NPM, PNPM, VLT, and Bun — could be exploited to bypass supply chain attack protections, according to ...

The defense mechanisms that NPM introduced after the 'Shai-Hulud' supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies. Collectively called PackageGate, ...

Threat actors have successfully weaponized Zapier’s compromised NPM account to unleash a digital weapon that’s creating chaos across the entire open-source ecosystem. This isn’t your typical data ...

What Happened in the Shai Hulud JavaScript Attack? A major JavaScript supply-chain attack has compromised more than 400 NPM packages — including at least 10 widely used across the crypto ecosystem — ...

Amazon researchers discovered more than 150,000 malicious packages in the NPM registry, in what they called "a defining moment in supply chain security." The packages were part of a token farming ...

A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input. The ...

An ongoing npm credential harvesting campaign operating since August 2025 has been discovered by researchers at Koi Security. The malware, dubbed PhantomRaven by the researchers, is actively stealing ...

Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign. The ...