Solana blockchain's popular web3.js npm package backdoored to steal keys, funds
Damage likely limited to those running bots with private PKI access
Cyber-crime05 Dec 2024 | 7
NPM
Hundreds of thousands of dollars in crypto stolen after Ledger code poisoned
Former worker phished then NPM repo hijacked
Cyber-crime16 Dec 2023 | 56
Warning: JavaScript registry npm vulnerable to 'manifest confusion' abuse
Failure to match metadata with packaged files is perfect for supply chain attacks
Research27 Jun 2023 | 12
Hijacked S3 buckets used in attacks on npm packages
Cybercrooks use abandoned AWS storage tool to deliver malware
Storage19 Jun 2023 | 7
So you want to integrate OpenAI's bot. Here's how that worked for software security scanner Socket
Exclusive Hint: Hundreds of malicious npm and PyPI packages spotted
Devops30 Mar 2023 | 23
Cry Havoc and let slip dogs of war ... there's an upgraded malware server in town
ThreatLabz finds free alternative to Cobalt Strike and other tools used in the wild
Security17 Feb 2023 | 2
Malicious PyPI package found posing as a SentinelOne SDK
Security firm tagged with malware misrepresentation
Security21 Dec 2022 | 8
Boffins rate npm and PyPI package security and it's not good
Guess what? Open source security still has gaps
Security11 Aug 2022 | 15
Miscreants aim to cause Discord discord with malicious npm packages
LofyLife campaign comes amid GitHub security lockdown
Research02 Aug 2022 | 2
Someone may be prepping an NPM crypto-mining spree
1,300 packages from 1,000 automated user accounts set the stage for something big
Research07 Jul 2022 | 8
Typo-squatting NPM software supply chain attack uncovered
Beawre teh mizpelled pakcage naem
Security06 Jul 2022 | 7
GitHub saved plaintext passwords of npm users in log files, post mortem reveals
Unrelated to the OAuth token attack, but still troubling as org reveals details of around 100,000 users were grabbed by the baddies
Security27 May 2022 | 16
How to find NPM dependencies vulnerable to account hijacking
Security engineer outlines self-help strategy for keeping software supply chain safe
CSO23 May 2022 | 21
Mystery of industry-targeting backdoored NPM JavaScript packages solved
Yup, 'the intern' did it
Devops12 May 2022 | 11
Email domain for NPM lib with 6m downloads a week grabbed by expert to make a point
Special report Campaign to coax GitHub-owned outfit to improve security starts showing results
CSO10 May 2022 | 47
This JavaScript scanner hunts down malware in libraries
Stick a fork in this Socket and zap malicious NPM packages
Security01 Mar 2022 | 2
Worried about occasional npm malware scares? It's more common than you may think
WhiteSource says it spotted 1,300 malicious JavaScript packages in 2021 alone
Security03 Feb 2022 | 15
GitHub fixes authorisation vulnerability in the NPM JavaScript package registry
Flaw allowed 'an attacker to publish new versions of any npm package'
Security16 Nov 2021 | 4
NPM packages disguised as Roblox API code caught carrying ransomware
Subverted libraries likely intended as a prank but should be taken seriously, say security researchers
Security27 Oct 2021 | 7
NPM is Now Providing Malware – or was until recently
Password-stealing package outed by security firm evokes sense of déjà vu
Devops21 Jul 2021 | 5
Sitting comfortably? Then it's probably time to patch, as critical flaw uncovered in npm's netmask package
Are you local? Catastrophically local?
Security29 Mar 2021 | 37
Malicious backdoored NPM package masqueraded as Twilio library for three days until it was turfed out
Dodgy JavaScript code downloaded hundreds of times
Devops03 Nov 2020 | 5
Now GitHub has gulped down NPM Inc, what's next for the JS package registry? Well, some stability will be nice
CTO Ahmad Nassri announces intention to bow out
Software16 Apr 2020 |
Are we having fund yet, npm? CTO calls for patience after devs complain promised donations platform has stalled
Funding free software is 'still a very unsolved problem' says co-founder
Devops22 Feb 2020 | 13
No big deal, Rogers, your internal source code and keys are only on the open web. Don't hurry to take it down
Updated 'Closed source' blueprints available for all to gawp at – and potentially exploit
Software24 Jan 2020 | 14
NPM swats path traversal bug that lets evil packages modify, steal files. That's bad for JavaScript crypto-wallets
Trio of vulnerabilities made registry full of uncertain code even more of a risk
Security13 Dec 2019 | 19
NPM today stands for Now Pay Me: JavaScript packaging biz debuts conduit for funding open-source coders
Like a particular module? You're one command away from being able to donate some dosh for it
Software06 Nov 2019 | 27
Hey, NPM. How do you like your Bogensberger? He's, well, done: CEO Bryan ejects from biz
JavaScript packager seeks new boss amid internal friction, firings, unionization attempts
Devops20 Sep 2019 | 8
After banning adverts in command-line terminals, NPM floats idea of Patreon-style donations to open-source devs
Cash-burning biz sees itself following in the footsteps of GitHub Sponsors
Software04 Sep 2019 | 24
NPM Inc settles union-busting complaints on third try – after CEO trolled for ordering internal mole hunt
Stuffed mole toys arrive at JavaScript biz after chief exec demands to know who was talking to El Reg
Software02 Jul 2019 | 43
settlement.js not found: JavaScript package biz NPM scraps talks, fights union-busting claims
Special report CEO speaks to The Reg as we dig into labor complaints, future of npm CLI
Software14 Jun 2019 | 12
NPM is Not Particularly Magnanimous? Staff fired after trying to unionize – complaints
Special report Plus: Employee diversity, harassment brouhahas within Microsoft, Google
Software22 Apr 2019 | 59
NPM apologizes for ham-fisted handling of recent staff layoffs
Sorry song fails to quell online discontent, rumors swirl of competition ahead
On-Prem11 Apr 2019 | 13
NPM not tied in knots over Yarn rival project
Parallel projects just happen when the future is obvious
Devops15 Sep 2018 | 14
One-in-two JavaScript project audits by NPM tools sniff out at least one vulnerability...
...and those devs are then applying patches, we hope
Security22 Aug 2018 | 13
Now Pushing Malware: NPM package dev logins slurped by hacked tool popular with coders
Updated Tokens killed after eslint-scope utility compromised
Security12 Jul 2018 | 9
Unlucky Linux boxes trampled by NPM code update, patch zapped
Devs stumble into pre-release beta by using command they didn't understand
Software23 Feb 2018 | 38
Wondering where your JavaScript libs went? Spam-detection snafu exiled npm packages
Postmortem sheds light on brief dependency hell
Software11 Jan 2018 | 16
npm adds two-factor auth, security tokens in wake of JS typo attack
Let's make sure that code you're pulling in is legit code, not some scumbag's library
Devops05 Oct 2017 | 1
This typosquatting attack on npm went undetected for 2 weeks
Lookalike npm packages grabbed stored credentials
Security02 Aug 2017 | 7
'No regrets' says chap who felled JavaScript's Jenga tower – as devs ask: Have we forgotten how to code?
Analysis NPM republishes unpublishing rules
Software29 Mar 2016 | 113
How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript
Updated Code pulled from NPM – which everyone was using
Software23 Mar 2016 | 172
Biting the hand that feeds IT
