GitHub has announced what it said are "breaking changes" coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats. The changes aim to combat ...

Red Hat hit by npm supply‑chain attack - here's how to stay safe ...

With npm v12, GitHub closes a central attack vector: installation scripts from dependencies will only run after explicit ...

Over 100 NPM and PyPI packages were injected with malicious code in the Miasma and Hades Shai-Hulud supply chain attack ...

IT之家5 月 25 日消息，国家网络安全通报中心今日发布预警，称监测发现，全球主流 JavaScript 软件包管理平台 npm 遭“沙虫”（Shai-Hulud）供应链投毒攻击。攻击者攻陷了 npm 官方维护者账户，并在短时间内批量投放大量恶意软件包，涉及 300 余个独立程序包的 600 余个恶意版本，影响多个热门开源项目。 据介绍，当开发者安装恶意依赖包后，程序会自动在本地主机、CI / ...

A malware named IronWorm spread through 36 npm packages in the Arweave ecosystem, stealing developer credentials and self ...

Microsoft Threat Intelligence identified a large-scale npm supply chain attack affecting 32 maliciously modified packages across more than 90 versions under the ...

The Miasma credential-stealing attack framework, which has recently targeted open-source ecosystems through supply-chain ...