CSO Online

Compromised npm package silently installs OpenClaw on developer machines

While the AI itself wasn’t weaponized, the technique raises concerns about AI agents with broad system access.
IEEE

Detecting Malicious Packages in PyPI and npm by Clustering Installation Scripts

Abstract: Software repositories such as PyPI and npm are vital for software development but expose users to serious security risks from malicious packages. The malicious packages often execute their ...
The Hacker News

Self-Replicating Worm Hits 180+ npm Packages to Steal Credentials in Latest Supply Chain Attack

Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers. "The compromised ...
The Hacker News

Nine-Year-Old npm Packages Hijacked to Exfiltrate API Keys via Obfuscated Scripts

Cybersecurity researchers have discovered several cryptocurrency packages on the npm registry that have been hijacked to siphon sensitive information such as environment variables from compromised ...
GitHub

The effortlessly way to run your package.json scripts

After that, just choose the script that you want to run, and RunScript make the rest, since choosing npm or yarn to run your script based on the lock file present in the folder, to logging all of the ...
GitHub

Ignores not being honored for package.json scripts

Using knip 5.26.0 I'm finding that it won't ignore files referenced by scripts in the package.json. If I downgrade to 5.9.4 it works as expected, but starting in 5.10.0-canary.0 I see the current ...