New PhantomRaven NPM attack wave steals dev data via 88 packages

New attack waves from the 'PhantomRaven' supply-chain campaign are hitting the npm registry, with dozens of malicious packages that exfiltrate sensitive data from JavaScript developers.
Techzine Europe

New npm browser npmx addresses shortcomings of npmjs

An initiative within the JavaScript community is attempting to offer an alternative to the way developers view npm packages via the web. The project is ...
Bitcoin Magazine

NPM Attack: Javascript Library Compromise Goes After Bitcoin Wallets

NPM developer qix's account compromise potentially puts user funds at risk by compromising library dependencies used by bitcoin wallets. A major NPM developer, qix, has had their account compromised.
Hosted on MSN

New NPM supply-chain attack compromises major ENS and crypto libraries

A major JavaScript supply-chain attack has compromised hundreds of software packages — including at least 10 used widely across the crypto ecosystem — according to new research from cybersecurity firm ...
Dark Reading

Once Again, Malware Discovered Hidden in npm

Two code packages named "nodejs-encrypt-agent" in the popular npm JavaScript library and registry recently were discovered containing the open source information-stealing TurkoRat malware. Researchers ...

npmx.dev: New website for npm package search

The open-source project npmx is used for fast searching of npm packages. It focuses on UX, displays vulnerability warnings, ...
InfoWorld

Why local-first matters for JavaScript

Every developer should be paying attention to the local-first architecture movement and what it means for JavaScript. Here’s ...
CSOonline

Npm ecosystem vulnerable to new manifest confusion attack

Package manifests in the npm registry are not validated against metadata files in the package itself, leaving the door open for attackers. The npm (Node Package Manager) ecosystem of JavaScript ...