A：SANDWORM_MODE是一个活跃的供应链蠕虫攻击活动，利用至少19个恶意npm包实施凭据收集和加密货币密钥窃取。它具备窃取系统信息、访问令牌、环境机密和API密钥的能力，并能通过滥用被盗的npm和GitHub身份自动传播扩大影响。

In short, npm has taken an important step forward by eliminating permanent tokens and improving defaults. Until short-lived, ...

网络安全研究人员发现了一系列与朝鲜Lazarus组织相关的恶意软件包，分布在npm和PyPI仓库中。该活动代号为graphalgo，自2025年5月起活跃。攻击者通过LinkedIn、Facebook等社交平台或Reddit论坛的虚假招聘接触开发者，创建区块链公司Veltrix Capital作为掩护。恶意包通过依赖项间接植入，部署远程访问木马收集系统信息。研究还发现了其他恶意npm包活动，包括B ...

Vercel创始人Guillermo Rauch分享了一个惊人的数据：Skills.sh平台现在每小时新增超过550个技能。这个增长速度让人想起当年npm生态的爆发期。 Skills.sh是一个为AI代理设计的技能共享平台，开发者可以通过简单的命令行工具快速获取和使用各种预制技能。运行npx skills﹫latest即可开始体验。

A self-replicating npm worm dubbed SANDWORM_MODE hits 19+ packages, harvesting private keys, BIP39 mnemonics, wallet files and LLM API keys from dev environments.

The npm registry now includes Socket security analysis links directly on package pages to help developers assess supply chain risks.

The team behind npm, the biggest package manager for JavaScript libraries, has issued a security alert yesterday, advising all users to update to the latest version (6.13.4) to prevent "binary ...

As NPM is the package manager of Node.js, it is highly recommended to download the latest version of Node.js when you see the above-mentioned error. To download the ...