Update 8/5/25: Added Toptal's statement at the end of the article, which says their investigation determined noone was impacted by this breach. Hackers compromised Toptal's GitHub organization account ...

Multiple npm packages published by the crypto exchange, dYdX, and used by at least 44 cryptocurrency projects appear to have been compromised. Powered by the Ethereum blockchain, dydX is a ...

Researchers continue to investigate a wave of malicious npm packages, with the published tally now reaching over 700. Last week, JFrog researchers disclosed the scheme in which an unknown threat actor ...

Security researchers have uncovered another large-scale, coordinated attack on the npm ecosystem, using worm-like techniques to spread spam packages. Dubbed “IndonesianFoods” due to the unique naming ...

Ten typosquatted npm packages delivered infostealing malware to nearly 10,000 systems Malware targeted system keyrings, bypassing app-level security to steal decrypted credentials Affected users must ...

Since the beginning of July, packages with well-hidden malicious code have been available in the JavaScript package manager npm. The company Socket, which specializes in software supply chain security ...

GitHub will enforce 2FA and deprecate legacy tokens to improve package publishing security Trusted Publishing will expand, and token-based publishing will be restricted by default Shai-Hulud worm ...

Threat actors have likely made off with sensitive host and network information from developers’ systems in a coordinated malware campaign, involving 60 malicious npm packages, that were live for just ...

The Node Package Manager, NPM, has become a powerful and important tool, supporting many different JavaScript frameworks — including JQuery, AngularJS, and React JS. If you’re building JavaScript ...