Lazarus Group concealed a four-module remote access toolkit inside six fake npm Rollup polyfill packages that fired at import ...
GitHub's npm package manager will ship its most significant security redesign in years this July, when npm v12 makes three long-automatic install behaviors require ...
With npm v12, GitHub closes a central attack vector: installation scripts from dependencies will only run after explicit approval from July 2026.
GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the 'npm install' command.
The change, expected in July, will likely block one of the more common attack vectors; developers are wondering what took GitHub so long, and why other repositories acted so much sooner. The ability ...
The campaign spans npm, Packagist, Go, and Chrome, using obfuscated JavaScript loaders and VS Code tasks to deliver malware.
NPM has announced new version (v12) of the npm package manager in a bid to prevent software supply chain attacks. In a blog post published on June 9, a team of npm developers at Microsoft-owned GitHub ...
JFrog says six malicious npm packages used hidden install-time execution, JSONKeeper fetches, and sandbox checks to enable remote access.
Installing a piece of code from NPM will no longer auto-run malware on the system, and won’t quietly pull malicious code from external repos unless the developer explicitly allows it. But this won’t ...
GitHub will change npm's defaults so the install command no longer runs scripts automatically, disabling a feature commonly exploited by malicious packages such as the notorious Shai-Hulud worm.