NPM, the Node Package Manager, hosts millions of packages and serves billions of downloads annually. It has served well over the years but has its shortcomings, including with TypeScript build ...

Threat actors have successfully weaponized Zapier’s compromised NPM account to unleash a digital weapon that’s creating chaos across the entire open-source ecosystem. This isn’t your typical data ...

Amazon researchers discovered more than 150,000 malicious packages in the NPM registry, in what they called "a defining moment in supply chain security." The packages were part of a token farming ...

Threat actors are finding new ways to insert invisible code or links into open source code to evade detection of software supply chain attacks. The latest example was found by researchers at ...

Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection. The finding, ...

An ongoing npm credential harvesting campaign operating since August 2025 has been discovered by researchers at Koi Security. The malware, dubbed PhantomRaven by the researchers, is actively stealing ...

If you needed another reminder that our software supply chains are only as strong as their smallest link, the JavaScript ecosystem delivered it. In early September, attackers phished the NPM account ...

Various IT security companies are warning of new attacks on the npm ecosystem around node.js. Several dozen packages (at least 40, in one report as many as 150) are infected with malware that steals ...

A phishing email was at the heart of the attack. NPM team quickly removed backdoored versions. 18 packages hit, with 2B+ downloads every week. A new digital supply chain attack has targeted popular ...

Forbes contributors publish independent expert analyses and insights. A serious security breach has sent shockwaves through both everyday online services and the cryptocurrency world. At the center is ...

A supply chain attack involving multiple NPM packages had the potential to be one of the most impactful security incidents in recent memory, but such fears seemingly have proved unrealized. On the ...

A phishing attack aimed at a particular software maintainer’s account has managed to compromise software packages that have over 2.6 billion weekly downloads. BleepingComputer, noting that the ...