Sponsor of the Day:
Jerkmate
https://mvnpm.org/composites/
Composites - mvnpm - mvnpm - Use NPM packages as Maven/Gradle dependencies
Browse and manage composite packages that aggregate multiple NPM packages into a single Maven artifact.
mvnpm use npmmaven gradle dependenciescompositespackages
https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24/
Shai-Hulud Returns: Over 1K NPM Packages and 27K+ Github Repos infected via Fake Bun Runtime Within...
Over 1,000 NPM packages were infected using the same method as the previous attack, infecting with a fake Bun runtime. The attacker leveraged the `preinstall`...
shai huludnpm packagesgithub reposvia fakebun runtime
https://wesbos.com/javascript/14-es-modules-and-structuring-larger-apps/82-using-open-source-npm-packages
Using Open-Source npm packages - Wes Bos
In this lesson we are going to cover how to use external modules, that have been open sourced by the community, within your projects.
using open sourcenpm packageswes bos
https://hackage.haskell.org/package/nixfromnpm
nixfromnpm: Generate nix expressions from npm packages.
Generate nix expressions from npm packages.
npm packagesgeneratenixexpressions
https://www.npmcharts.com/
Compare download trends for npm packages - npmcharts đ
Compare npm package download counts over time to spot trends and see which to use and which to avoid.
compare downloadnpm packagestrends
https://thehackernews.com/2022/10/lofygang-distributed-200-malicious-npm.html
LofyGang Distributed ~200 Malicious NPM Packages to Steal Credit Card Data
A hacker group called LofyGang distributed nearly 200 trojanized packages on the NPM open source repository that steals credit card information.
malicious npm packagescredit carddistributed200steal
https://joripress.com/Compromised-Namastex-npm-Packages-Deliver-TeamPCP-Style-CanisterWorm-Malware
Compromised Namastex npm Packages Deliver TeamPCP-Style CanisterWorm Malware - JoriPress
Apr 23, 2026 - cybersecurity, npm, supplyâchain, malware, business risk, DefendMyBusiness
npm packagescompromiseddeliverteampcpstyle
https://www.npmcharts.com/compare/gatsby-theme-amsterdam?minimal=true
Compare download trends for npm packages - npmcharts đ
Compare npm package download counts over time to spot trends and see which to use and which to avoid.
compare downloadnpm packagestrends
https://www.aikido.dev/protect/safe-chain
Stop Malicious npm Packages | Aikido Safe Chain
Prevent developers from installing malicious code. Free to use, no tokens required
malicious npm packagesstopaikidosafechain
https://www.theregister.com/2025/08/27/nx_npm_supply_chain_attack/
Nx NPM packages poisoned in AI-assisted supply chain attack ⢠The Register
Aug 27, 2025 - : Stolen dev credentials posted to GitHub as attackers abuse CLI tools for recon
supply chain attacknpm packagesnxpoisonedassisted
https://www.aikido.dev/blog/npm-supply-chain-phishing-campaigns
Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages
Jan 28, 2026 - A targeted spear-phishing campaign used npm packages and jsDelivr as free phishing infrastructure, serving custom credential harvesters per victim
npm packagescredential harvestinggoneservingcustom
https://www.helpnetsecurity.com/2026/03/31/axios-npm-backdoored-supply-chain-attack/
Axios npm packages backdoored in supply chain attack - Help Net Security
Mar 31, 2026 - An attacker has published backdoored Axios npm packages that trigger the installation of droppers and remote access trojans.
supply chain attackaxios npmpackagesbackdooredhelp
https://threatpost.com/malicious-npm-discord/180327/
Malicious Npm Packages Tapped Again to Target Discord Users | Threatpost
Jul 29, 2022 - Recent LofyLife campaign steals tokens and infects client files to monitor various user actions, such as log-ins, password changes and payment methods.
malicious npm packagesdiscord userstappedtargetthreatpost
https://nodesource.com/blog/nodejs-features-replacing-npm-packages
15 Recent Node.js Features that Replace Popular npm Packages
Many Node.js features that once required third-party packages are now built into the runtime itself.
node jsreplace popularnpm packages15recent
https://www.kaspersky.co.in/blog/npm-packages-trojanized/29528/
Popular npm packages compromised | Kaspersky official blog
Sep 10, 2025 - Unknown attackers have compromised color, debug, ansi-regex, chalk, and several other npm packages in a supply-chain attack.
kaspersky official blogpopular npmpackages compromised
https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html
Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens
Self-propagating npm worm steals tokens via postinstall hooks, impacting six packages and expanding supply chain attacks.
supply chain wormself propagatingnpm packageshijackssteal
https://mvnpm.org/
mvnpm - Use NPM packages as Maven/Gradle dependencies
Seamlessly integrate NPM packages into Java through Maven and Gradle dependencies. The bridge between NPM and Maven Central.
mvnpm use npmmaven gradle dependenciespackages
https://pastebin.com/P92bU5fb?source=archive
Manipulated File in Malicious NPM Packages - Pastebin.com
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
malicious npm packagesmanipulatedfilepastebin
https://securitybrief.news/story/claude-code-can-leak-secrets-in-public-npm-packages
Claude Code can leak secrets in public npm packages
Apr 23, 2026 - Check Point says Anthropic's Claude Code can quietly stash credentials in .claude/settings.local.json, which may be published in public npm packages.
claude codenpm packagesleaksecretspublic
https://www.csoonline.com/article/4028412/supply-chain-attack-compromises-npm-packages-to-spread-backdoor-malware.html
Supply chain attack compromises npm packages to spread backdoor malware | CSO Online
Jul 24, 2025 - Phishing attacks on package maintainer accounts led to infected JavaScript type testing utilities.
supply chain attacknpm packagesbackdoor malwarecso onlinecompromises
https://mvnpm.org/live/
Live - mvnpm - mvnpm - Use NPM packages as Maven/Gradle dependencies
Watch live synchronization progress of NPM packages being converted to Maven artifacts.
mvnpm use npmmaven gradle dependencieslivepackages
https://www.epicweb.dev/tutorials/versioning-and-releasing-npm-packages-with-nx
Versioning and Releasing NPM packages with Nx Tutorial | Epic Web Dev
Learn full-stack web development with Kent C. Dodds and the Epic Web instructors. Learn TypeScript, React, Node.js, and more through hands-on workshops.
epic web devnpm packagesversioningreleasingnx
https://www.infosecurity-magazine.com/news/malicious-npm-packages-steal/
Malicious Npm Packages Designed to Steal Discord Tokens - Infosecurity Magazine
Jun 11, 2025 - Kaspersky claims malware also steals card data
malicious npm packagesinfosecurity magazinedesignedstealdiscord
https://safedep.io/malicious-fairwords-npm-credential-worm/
@fairwords npm Packages Hit by Credential Worm - Real-time Open Source Software Supply Chain...
Three @fairwords npm packages were compromised with a self-propagating worm that harvests credentials, crypto wallets, Chrome passwords, and spreads to other...
real time opensource software supplynpm packageshitcredential
https://thehackernews.com/2026/03/trivy-supply-chain-attack-triggers-self.html
Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages
CanisterWorm infects 28 npm packages via ICP-based C2, enabling self-propagation and persistent backdoor access across developer systems.
trivy supply chainattack triggersnpm packagesselfspreading
https://sdtimes.com/security/shai-hulud-is-back-with-a-new-campaign-infecting-more-npm-packages/
Shai-Hulud is back with a new campaign infecting more npm packages - SD Times
Software Development News
shai huludnew campaignnpm packagessd timesback
https://npm-stat.com/charts.html?package=styled-components
npm-stat: download statistics for NPM packages
download statistics for npm packages
npm stat downloadstatisticspackages
https://blog.cyberdesserts.com/npm-security-vulnerabilities/
npm Security Risks 2026: Vulnerable Packages & Fixes
Apr 17, 2026 - 454K malicious npm packages in 2025. See the most vulnerable packages, how attacks work, and how to fix them safely.
npm securityrisks 2026vulnerablepackagesfixes
https://onehack.st/t/trivy-got-owned-and-spawned-a-self-replicating-npm-worm-47-packages-deep/319972
Trivy Got Owned and Spawned a Self-Replicating npm Worm â 47 Packages Deep - News & Articles -...
Mar 22, 2026 - :fire: Trivy Got Owned and Spawned a Self-Replicating npm Worm â 47 Packages Deep A hardcoded secret, a blockchain dead drop, and a worm that vibe-coded itself...
got ownedself replicatingnpm wormnews articlestrivy
https://stackoverflow.com/questions/17937960/how-to-list-npm-user-installed-packages
javascript - How to list npm user-installed packages? - Stack Overflow
How do I list the user-installed / environment package only in npm? When I do npm -g list, it outputs every package and their dependencies. Instead I'd like to...
npm userinstalled packagesstack overflowjavascriptlist
https://badge.fury.io/
Version Badge for npm, RubyGems, PyPI, Bower and other packages
Version Badge for npm, RubyGems, PyPI, Bower and other packages
version badgenpmrubygemspypibower
https://npm.io/
npm.io | NPM packages search engine
npm.io is an NPM packages aggregator and search engine designed to make your node package search fast, smooth and simple.
npm iopackages searchengine
https://www.infosecurity-magazine.com/news/indonesianfoods-npm-worm-44000/
âIndonesianFoodsâ npm Worm Publishes 44,000 Malicious Packages - Infosecurity Magazine
Mar 17, 2026 - A new npm worm dubbed âIndonesianFoodsâ has doubled the number of known malicious packages
npm worm44 000malicious packagesinfosecurity magazinepublishes
https://simonwillison.net/2026/Jan/26/chatgpt-containers/
ChatGPT Containers can now run bash, pip/npm install packages, and download files
One of my favourite features of ChatGPT is its ability to write and execute code in a container. This feature launched as ChatGPT Code Interpreter nearly three...
npm installdownload fileschatgptcontainersrun
https://npm-stat.com/charts.html?package=prismjs&from=2012-07
npm-stat: download statistics for NPM packages
download statistics for npm packages
npm stat downloadstatisticspackages
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
npm debug and chalk packages compromised
Mar 17, 2026 - The popular packages debug and chalk on npm have been compromised with malicious code
packages compromisednpmdebugchalk
https://safedep.io/malicious-npm-strapi-plugin-events-c2-agent/
Thirty-Six Malicious npm Strapi Packages Deploy Redis RCE, Database Theft, and Persistent C2 -...
A coordinated campaign of thirty-six malicious npm packages published by four sock-puppet accounts (umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1)...
thirty sixmalicious npmdeploy redisstrapipackages
https://npm-stat.com/charts.html?author=hemanth&from=2009-01-01&to=2022-01-13
npm-stat: download statistics for NPM packages
download statistics for npm packages
npm stat downloadstatisticspackages
https://stackoverflow.com/posts/70249595/revisions
Revisions to How to list npm user-installed packages? - Stack Overflow
Stack Overflow | The Worldâs Largest Online Community for Developers
npm userinstalled packagesstack overflowrevisionslist