IT之家5 月 25 日消息，国家网络安全通报中心今日发布预警，称监测发现，全球主流 JavaScript 软件包管理平台 npm 遭“沙虫”（Shai-Hulud）供应链投毒攻击。攻击者攻陷了 npm 官方维护者账户，并在短时间内批量投放大量恶意软件包，涉及 300 余个独立程序包的 600 ...

IT之家 5 月 25 日消息，国家网络安全通报中心今日发布预警，称监测发现，全球主流 JavaScript 软件包管理平台 npm 遭“沙虫”（Shai-Hulud）供应链投毒攻击。攻击者攻陷了 npm 官方维护者账户，并在短时间内批量投放大量恶意软件包，涉及 300 余个独立程序包的 600 ...

Hundreds of malicious packages are being flagged in NPM and PYPI repositories, including those from TanStack and Mistral, which are hugely popular. A broad hacking campaign is targeting millions of ...

Fake packages aim to steal data, credentials, and secrets, and to infect every package created using them, in what could be ‘a complete organizational takeover’. Application developers are being ...

Security teams are grappling with a major supply chain attack on Axios, a popular JavaScript library with over 100 million weekly downloads. The North Korean state actor Sapphire Sleet compromised the ...

On March 31, 2026, two new npm packages for updated versions of Axios, a popular HTTP client for JavaScript that simplifies making HTTP requests to a REST endpoint with over 70 million weekly ...

For years, npm has been the default package manager in the JavaScript ecosystem. It ships with Node.js, works everywhere, and powers millions of projects. But as applications grew larger and monorepos ...

NPM, the Node Package Manager, hosts millions of packages and serves billions of downloads annually. It has served well over the years but has its shortcomings, including with TypeScript build ...

Half a dozen vulnerabilities in the JavaScript ecosystem’s leading package managers — including NPM, PNPM, VLT, and Bun — could be exploited to bypass supply chain attack protections, according to ...