npm
npm packages spread ‘Bladeroid’ crypto-stealer, hijack your Instagram
Sonatype has identified multiple open source packages named sniperv1, sniperv2, among others that infect npm developers with a Windows info-stealer and crypto-stealer called 'Bladeroid.' ...
npm flooded with 748 packages that store movies
Meet npmjs.com, a video and eBook hosting platform — not our words, but it seems that's what goes in the mind of some users (and attackers) recently seen misusing the platform to ...
Fake ‘distube-config’ npm package drops Windows info-stealing malware
Sonatype has identified two npm packages distube-config and discordyt that typosquat open source packages like Discord modules, in an attempt to infect Windows users with a Trojan. Our security researcher, Juan Aguirre, ...
‘everything’ matters — why the npm package sparked controversy
The npm package 'everything' sparked some controversy slowly after its publication over the holidays this year ...
npm packages caught exfiltrating Kubernetes config, SSH keys
The Sonatype Security Research team is currently tracking an ongoing campaign on the npm registry that uses npm packages to retrieve and exfiltrate your Kubernetes configuration and SSH keys to an external ...
New npm PoC packages target PayPal Zettle, Airbnb developers
Sonatype has identified several npm packages that are named after internal dependencies purportedly used by PayPal Zettle and Airbnb developers ...
GitHub Developers Targeted by North Korea’s Lazarus Group
The Lazarus Group is behind a social engineering campaign that uses repository invitations and malicious npm packages to target developers on GitHub ...
npm Manifest Confusion – What Is It and Do You Really Need to Worry About It?
Yesterday, Darcy Clarke, a software developer and a former npm CLI team Engineering Manager, steered everyone’s attention towards a gap in the npm registry website – what he calls “manifest confusion.” ...