The Hacker News

npm’s Update to Harden Their Supply Chain, and Points to Consider

In short, npm has taken an important step forward by eliminating permanent tokens and improving defaults. Until short-lived, ...
InfoWorld

Beyond NPM: What you need to know about JSR

Here's how the JavaScript Registry evolves makes building, sharing, and using JavaScript packages simpler and more secure ...
Bleeping Computer

NPM package ‘is’ with 2.8M weekly downloads infected devs with malware

The popular NPM package 'is' has been compromised in a supply chain attack that injected backdoor malware, giving attackers full access to compromised devices. This occurred after maintainer accounts ...
Bleeping Computer

Hackers left empty-handed after massive NPM supply-chain attack

The largest supply-chain compromise in the history of the NPM ecosystem has impacted roughly 10% of all cloud environments, but the attacker made little profit off it. After gaining access to Junon’s ...

Malicious packages for dYdX cryptocurrency exchange empties user wallets

Open source packages published on the npm and PyPI repositories were laced with code that stole wallet credentials from dYdX developers and backend systems and, in some cases, backdoored devices, ...