Lazarus Group concealed a four-module remote access toolkit inside six fake npm Rollup polyfill packages that fired at import ...
JFrog says six malicious npm packages used hidden install-time execution, JSONKeeper fetches, and sandbox checks to enable remote access.
How-To Geek on MSN
I stopped maintaining 30 JSON files by hand with this one tool
Connect all your configuration files and autogenerate code—Jsonnet is the missing piece for large code bases.
From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet
June 19, 2026 update: Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector. The ...
A new "coordinated" supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL. "Although the ...
Any development environment that installed or imported one of the 172 compromised npm or PyPI packages published since May 11 should be treated as potentially compromised. On affected developer ...
On March 31, 2026, two new npm packages for updated versions of Axios, a popular HTTP client for JavaScript that simplifies making HTTP requests to a REST endpoint with over 70 million weekly ...
valid-repository-directory Enforce that if repository directory is specified, it matches the path to the package.json file 📦 💡 This group of rules allows you to require that the associated top-level ...
This is a fully featured package.json scaffolding tool. It goes above and beyond the basic npm init by supporting (almost) all of the keys you can set in a package.json. It can be used as a simple cli ...
Some results have been hidden because they may be inaccessible to you
Show inaccessible results