60 stories tagged with #npm, in publish-time order across the WeSearch catalog. Tag pages update as new stories ingest.
⌘ RSS feed for this tag → or search "Npm"
Red Hat hit by npm supply‑chain attack - here's how to stay safe
Days after IBM and Red Hat announced a master security plan for open-source software, Red Hat suffers a major breach of its own. Here's what you can do about it.…
How I fixed a silent hang in the XDG Desktop Portal and turned it into an npm package
I was building Parallel — an Electron app for local network screen sharing on Linux. No server, no...…
Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign | Microsoft Threat Intelligence
Lone attacker published 14 malicious NPM packages
And then Microsoft busted them all…
NPM Packages Attacks
A practical checklist for evaluating npm packages (supply chain attacks, slopsquatting, etc.)
How to evaluate an npm package before adding it to production
Quick checklist for evaluating npm packages before installing
How to Evaluate an NPM Package – 2026 Edition
Stars and downloads tell you about popularity, not safety. Here's a practical checklist for evaluating an npm package's security, reliability, and long-term maintenance in 2026.…
This Week In React #283: TanStack, RSC, Liquid DOM, Performance, i18n, docs, Apollo, shadcn | Expo, Reanimated, worklets, NativeScript, Standard Navigation, Strict DOM, Lynx, Apex, ExecuTorch | TC39, npm, pnpm, Node.js, Deno, Firefox
This Week In React #283: TanStack, RSC, Liquid DOM, Performance| Expo, Reanimated, worklets, NativeScript | TC39, npm, pnpm, Node.js
Hi everyone, Seb and Jan here 👋! This week we have great deep dive blog posts about data fetching...…
NPM introduces allowScripts opt-in install-script policy
Implements Phase 1 of npm/rfcs#868, which makes dependency install scripts opt-in. Install behaviour is unchanged. Scripts still run as they always have. The only Phase 1 user-visi…
Someone hid a full RAT inside a fake npm package and exfiltrated victim data to HuggingFace
Typosquatted npm packages used to steal cloud and CI/CD secrets
TanStack shipped a postmortem for the 42-package npm compromise. Here is what every project should change this week.
TanStack shipped a postmortem for the 42-package npm compromise. Here is what every project...…
Hackers caught hiding OpenAI token-stealing malware in Codex npm package - Cybernews
Comprehensive up-to-date news coverage, aggregated from sources all over the world by Google News.…
Mac Mini M4 16GB froze during npm,pnpm command
I had no Eid plans, so I published an npm package instead
Tired of running `npm audit` across a dozen repos, so I built a self-hosted CVE monitor for your whole portfolio (npm, pnpm, yarn)
Mini Shai-Hulud: A persistent supply-chain worm
On April 29th, Aikido researchers detected multiple compromised Node.js packages in SAP's namespace...…
From npm install to Soulbound Tokens: My First 5 Days Building on Solana
Solana's token system is nothing like what I expected coming from Web2 frontend dev. Here's...…
GSD [NPM get-shit-done-cc] is now OpenGSD
Git. Ship. Done. AI coding agents that own the loop from spec to ship.…
LLM proactively bypassed pnpm's anti-supply-chain-attack config
wait... you did what?! https://t.co/oCEQCeKq58…
Hardening my docker-compose.yml for Pihole & NPM - Is this network configuration secure?
Actually We Built something Suprisngly good ( we build an npm for ai agents skills - Agent SPM)which is "Open Source ")
TrapDoor Supply Chain Campaign Targets npm, PyPI, and Crates.io to Poison AI Coding Agents
An npm Package for AI Agent Orchestration Just Shipped With Its Front Door Unlocked. Here's What the CVE Actually Reveals.
MCP ecosystem is growing fast enough that security researchers are now hunting it like any other...…
Stop using external npm packages just to generate a UUID v4
For years, the go-to move for generating a UUID in Node.js or the browser was installing the uuid...…
I Turned npm outdated into a CI Gate — Here's How
You run npm outdated and see a list of stale packages. But your CI doesn't care. It passes anyway....…
An npm Downloads Comparison Chart in 300 Lines of Vanilla JS — Nice-Tick Math and API-Direct Fetch
"react vs vue vs svelte vs solid-js — who's actually winning?" This tool answers it. Fetches daily...…
TrapDoor supply chain attack hits PyPI, NPM, and crates.io
TrapDoor crypto stealer hits 36 malicious packages across npm, PyPI, and Crates.io, targeting crypto, DeFi, AI, and security developers.…
TrapDoor Cross-Ecosystem Crypto Stealer Campaign
TrapDoor is an active cross-registry supply-chain campaign using npm postinstall hooks, PyPI import-time execution, and Rust build scripts to steal developer, cloud, SSH, and crypt…
Machine: Never run NPM install on your computer
Reproducible, sandboxed Lima VMs for the Claude Code / Codex era. No host filesystem mount. No cross-project bleed.…
TrapDoor supply-chain campaign hits npm, PyPI, and Crates.io with AI-assistant poisoning angle
TrapDoor supply-chain campaign targeted npm, PyPI, and Crates.io packages
I Turned npm outdated into a CI Gate — Here's How
You run npm outdated and see a list of stale packages. But your CI doesn't care. It passes anyway....…
TrapDoor supply-chain campaign hits npm, PyPI, and Crates.io with AI-assistant poisoning angle
Active supply chain attack across NPM, PyPI, and Crates. io
🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.io. Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and ar…
I Turned npm outdated into a CI Gate — Here’s How
How I built npm-outdated-check to stop dependency drift without breaking CI…
The Crypto Coin was the tell – thoughts on GSD, and it's crypto rugpull
GSD’s creator rug-pulled and vanished. He still has NPM publish access to packages with deep shell permissions on your machine. What to do and what it means.…
Publishing a reusable React UI package as an npm module
Publishing a reusable React UI package as an npm module is one of the easiest ways to maintain...…
How `shieldcortex audit --deps` Catches the parikhpreyash4 Supply-Chain Attack
A 700-repo npm supply-chain campaign drops /tmp/.sshd and bolts a fake "Dependency Cache Sync" step into your GitHub Actions. Here's the one-liner that flags it before npm install …
Orbit – Route every AI query to the right model automatically (NPM SDK)
An intelligent AI operating layer that autonomously routes your queries to the optimal model based on task-specific fingerprinting, urgency, and cost.…
I just released version 2 of React Motion Gallery. Source is visible on GitHub. npm i react-motion-gallery
np-audit — Zero-dependency static analyzer that catches malicious npm lifecycle scripts before they execute
Megalodon: Mass GitHub Repo Backdooring via CI Workflows
Over 5,700 malicious commits were pushed to GitHub repositories on May 18, 2026, replacing GitHub Actions workflows with base64-encoded secret exfiltration payloads. The "megalodon…
Valid certificates, stolen accounts: how attackers broke npm's last trust signal
Npmjs.com has Cloudflare captcha on their suggestion API
Staged publishing and new install-time controls for NPM
Today we’re shipping two updates focused on supply-chain security for npm: Staged publishing is generally available. New --allow-* install source flags (--allow-file, --allow-remot…
Move to pnpm from NPM Now
Upgrade your package manager before a supply chain attack makes that decision for you.…
pnpm 11 Might Finally Be a Better Default Than npm
14 npm/PyPI/AI Supply-Chain Threats Today (2026-05-22): Critical Worms, Credential Harvesting, and RCEs
You Should Move to pnpm from npm Now
npm Supply Chain Audit: The Checklist Most Teams Stop Too Early
Originally posted on getcommit.dev. In October 2021, ua-parser-js was used by Facebook, Microsoft,...…
Staged publishing for npm packages | npm Docs
Staged publishing for npm packages | npm Docs
Npm registry sets stage for more secure package publishing
All the world's a stage, and all the packages are merely players…
Show HN: Computer Police – block malicious NPM/pip installs locally
Stop agents from installing malware. A local supply-chain firewall for developers, CI, and coding agents.…
GitHub links the breach of 3,800 internal repositories to the TanStack npm supply-chain attack, saying hackers used a malicious Nx Console VS Code extension (Sergiu Gatlan/BleepingComputer)
Sergiu Gatlan / BleepingComputer : GitHub links the breach of 3,800 internal repositories to the TanStack npm supply-chain attack, saying hackers used a malicious Nx Console VS Cod…