Here's how the JavaScript Registry evolves makes building, sharing, and using JavaScript packages simpler and more secure ...

Researchers at application security testing firm Checkmarx Ltd. today detailed a previously unknown threat actor leveraging NPM packages to target developers to steal source code and secrets. The ...

On November 24, 2025, local time, HelixGuard, an open-source security research lab that conducts research on supply chain malware and vulnerabilities, discovered that over 1,000 components in the NPM ...

Researchers continue to investigate a wave of malicious npm packages, with the published tally now reaching over 700. Last week, JFrog researchers disclosed the scheme in which an unknown threat actor ...

Attackers have poisoned a code package on the npm registry in a novel way, hiding credential-stealing malware in steganographic QR codes embedded in a package purporting to offer a JavaScript utility.

The CursedGrabber malware has infiltrated the open-source software code repository. Three malicious software packages have been published to npm, a code repository for JavaScript developers to share ...

Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors. More than ...

A researcher at Koi Security says the two key platforms have not plugged the vulnerabilities enabling the worm attacks, and ...

The security firm Socket warns of a campaign with malicious scripts in npm packages. The analysts have discovered 60 of these packages that contain an infostealer, which in turn spies on a machine ...