GitHub pulls pin on npm's auto-run scripts

GitHub will change npm's defaults so the install command no longer runs scripts automatically, disabling a feature commonly ...

npm tackles its riskiest security issues

With npm v12, GitHub closes a central attack vector: installation scripts from dependencies will only run after explicit ...
SecurityWeek

OWASP Incubator Project Helps Developers Find and Fix Vulnerable Dependencies in Seconds

CVE Lite CLI helps developers quickly identify and fix vulnerable npm dependencies during development, reducing delays and ...

What is Mini Shai-Hulud npm supply chain attack, and was Microsoft and Socket hit by malware? Full explainer on npm malware spread

What is Mini Shai-Hulud npm supply chain attack, and was Microsoft and Socket hit by malware? A new npm supply chain attack hit hundreds of packages linked to the @antv ecosystem. Attackers used a ...
Morning Overview on MSN

A new malicious npm package just got caught yanking files from users’ local disks — the 'Malware-Slop' campaign targeting developers who trusted a single bad depen…

A malicious npm package tied to a campaign some observers have called “Malware-Slop” has been detected copying files from ...

Red Hat hit by npm supply‑chain attack - here's how to stay safe

Days after IBM and Red Hat announced a master security plan for open-source software, Red Hat suffers a major breach of its ...