TanStack has released a detailed postmortem describing a sophisticated supply-chain attack that compromised 42 npm packages ...

Malicious npm package downloaded 676 times stole Claude AI files via GitHub uploads, increasing AI-driven malware risks.

GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ...

GitHub’s internal repositories — now staged publishing in npm 11.15.0 requires a human 2FA approval before any package goes ...

The world’s largest open-source registry, node package manager (npm), has been hit by another fast-moving malware attack, ...

The OWASP-backed tool scans JavaScript and TypeScript lockfiles locally, aiming to help developers catch and remediate dependency risks before CI failures.

Popular JavaScript modules including size-sensor and echarts-for-react hit as hijacked account closed GitHub warnings ...

Stolen credentials produced valid Sigstore certificates, clearing 633 malicious npm packages — one of seven developer tool ...

A Shai-Hulud copycat has turned up in yet another npm package just five days after TeamPCP open sourced the worm and ...

Attackers performed an email takeover attack on a dormant maintainer account and published new node-ipc versions containing ...

Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm. The node-ipc ...

Malicious packages across npm, PyPI, and Crates.io show how poisoned developer workflows can become a route into enterprise systems.