Robuta

A new wave of North Korea's 'Contagious Interview' campaign is targeting job seekers with malicious npm packages that infect dev's devices with infostealers...

freesewing - Freesewing's monorepo holding all our NPM packages, including our core library

Documentation for the npm registry, website, and command-line interface

Nov 14, 2025 - : Amazon spilled the TEA

Safely install NPM packages. Contribute to kevinslin/safe-npm development by creating an account on GitHub.

Hundreds of trojanized versions of well-known packages such as Zapier, ENS Domains, PostHog, and Postman have been planted in the npm registry in a new...

Oct 19, 2024 - The Unable to resolve dependency tree error when installing npm packages occurs when you install the node dependencies with the latest version of NPM(v7).

In the JavaScript and Node.js world, some packages are essential—downloaded millions of times daily and powering apps worldwide. Behind these tools are...

Jan 12, 2026 - Researchers discovered malicious npm packages posing as n8n integrations, exfiltrating OAuth tokens and API keys from enterprise workflows.

Are The Types Wrong? - Tool for analyzing TypeScript types of npm packages

Sep 3, 2025 - Ethereum smart contracts used to hide URL to secondary malware payloads in an attack chain triggered by a malicious GitHub repo.

Dec 2, 2025 - Learn about the ongoing Shai Hulud npm supply chain attack, including all currently known compromised packages

Deno 2.3 adds new features for deno compile and deno fmt, support for using local npm packages, several performance improvements, and more. Here are the...

Securely Publishing our Packages to npm — Eleventy

Find modern, web-ready packages on npm. Get faster, smaller JavaScript bundles.

Oct 30, 2025 - Packages downloaded from NPM can fetch dependencies from untrusted sites.

Jul 24, 2025 - Phishing attacks on package maintainer accounts led to infected JavaScript type testing utilities.

Nov 24, 2025 - Shai-Hulud malware hits Zapier, ENS, and Postman, infecting 500+ npm packages and leaking thousands of developer secrets to GitHub.

A targeted spear-phishing campaign used npm packages and jsDelivr as free phishing infrastructure, serving custom credential harvesters per victim

Developers targeted by malicious Microsoft VSCode extensions

The popular packages debug and chalk on npm have been compromised with malicious code

Nov 25, 2025 - As of November 25th, 2025, the Shai Hulud 2 supply-chain incident is still in the process of being... Tagged with security, shaihulud, npm.

Aug 27, 2025 - : Stolen dev credentials posted to GitHub as attackers abuse CLI tools for recon

Nov 6, 2025 - Researchers say the malware was in the repository for two weeks, advise precautions to defend against malicious packages.

Oct 15, 2025 - We dissect a recent incident where npm packages with millions of downloads were infected by the Shai-Hulud worm. Kaspersky experts describe the starting point...

Safe-Chain by Aikido is a powerful tool to prevent installing any malicious package version by verifying each package with the Aikido Intel database and...

I’ve compiled a list of my favorite npm packages that I use on a daily basis.

Oct 30, 2025 - Researchers outline how the PhantomRaven campaign exploits hole in npm to enable software supply chain attacks.

Jul 22, 2025 - DLL-based malware targets Windows users after a phishing campaign tricked the maintainer into leaking a token.

Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack. The coordinated worm-style campaign dubbed...

Jan 7, 2026 - ThreatLabz identified malicious NPM packages that deliver NodeCordRAT, which performs credential theft and steals cryptocurrency wallet data.

Three malicious npm packages disguised as Hyatt internal dependencies were discovered using install hooks to execute malicious payloads. All packages share...