攻击者正在利用一个重大漏洞，该漏洞使他们能够访问 NPM 代码仓库，自 8 月份以来，已上传超过 100 个凭据窃取软件包，并且大部分未被检测到。 安全公司 Koi 周三发布的调查结果，揭示了 NPM 的一项实践，该实践允许已安装的软件包自动从不受信任的域拉取并运行未经审查的软件包。Koi 表示，其追踪的一个名为 PhantomRaven 的活动利用 NPM 的“远程动态依赖（Remote ...

A monthly overview of things you need to know as an architect or aspiring architect. Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with ...

PANews 9月10日消息，DuckDB官推发文称，DuckDB的Node.js和Wasm软件包在近期npm供应链攻击中被植入恶意软件。官方已调查并弃用受影响版本，同时发布新版本。DuckDB表示，根据npm数据，暂无用户下载受影响包。团队已发布安全公告，详述事后分析及应对措施。

NPM has removed multiple packages hosted on its repository this week that established connection to remote servers and exfiltrated user data. These 4 packages had collected over 1,000 total downloads ...

Relatively easy to learn and highly scalable, Node.js has become a very popular platform for developing apps. Now npm, a package manager that installs, publishes and manages node programs, has raised ...

Are you a developer who uses npm as the package manager for your JavaScript or Node.js code? If so, do not -- I repeat do not -- upgrade to npm 5.7.0. Nothing good can come of it. As one user reported ...

Recently, security researchers Socket found 10 packages on npm targeting software developers, specifically those who use the npm (Node Package Manager) ecosystem to install JavaScript and Node.js ...

Researchers have discovered multiple npm packages named after NodeJS libraries that even pack a Windows executable that resembles NodeJS but instead drops a sinister trojan. These packages, given ...

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level. Read now DevOps security firm JFrog discovered 17 ...

Two code packages named "nodejs-encrypt-agent" in the popular npm JavaScript library and registry recently were discovered containing the open source information-stealing TurkoRat malware. Researchers ...