Lazarus Group concealed a four-module remote access toolkit inside six fake npm Rollup polyfill packages that fired at import ...
JFrog says six malicious npm packages used hidden install-time execution, JSONKeeper fetches, and sandbox checks to enable remote access.
Connect all your configuration files and autogenerate code—Jsonnet is the missing piece for large code bases.
June 19, 2026 update: Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector. The ...
A new "coordinated" supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL. "Although the ...
Any development environment that installed or imported one of the 172 compromised npm or PyPI packages published since May 11 should be treated as potentially compromised. On affected developer ...
On March 31, 2026, two new npm packages for updated versions of Axios, a popular HTTP client for JavaScript that simplifies making HTTP requests to a REST endpoint with over 70 million weekly ...
valid-repository-directory Enforce that if repository directory is specified, it matches the path to the package.json file 📦 💡 This group of rules allows you to require that the associated top-level ...
This is a fully featured package.json scaffolding tool. It goes above and beyond the basic npm init by supporting (almost) all of the keys you can set in a package.json. It can be used as a simple cli ...