轻量级 JavaScript 实用工具库 "is" 是 NPM 平台上的热门项目，每周下载量超过 220 万次。然而在 2025 年 7 月 19 日，该库开发者遭遇钓鱼攻击导致账户凭证泄露，攻击者借此发布了包含远程代码执行后门的恶意版本。 钓鱼攻击入侵开发者账户 据报告，项目维护者 John ...

PANews 9月10日消息，DuckDB官推发文称，DuckDB的Node.js和Wasm软件包在近期npm供应链攻击中被植入恶意软件。官方已调查并弃用受影响版本，同时发布新版本。DuckDB表示，根据npm数据，暂无用户下载受影响包。团队已发布安全公告，详述事后分析及应对措施。

Thousands of applications were broken on Tuesday after a programmer unpublished a critical module in npm, a package manager for widely-used JavaScript projects. Countless projects were left in limbo ...

A hacker has gained access to a developer's npm account and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the ...

Is the public NPM JavaScript package registry going away? NPM, the company behind the popular online repository of Node.js and JavaScript code, insists it will remain, despite a recent rumor to the ...

NPM developer qix's account compromise potentially puts user funds at risk by compromising library dependencies used by bitcoin wallets. A major NPM developer, qix, has had their account compromised.

Microsoft continues its push towards open source development with its acquisition of npm. When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft is acquiring Node package manager npm Inc., officials announced on March 16. (Neither company is sharing the purchase price.) Microsoft plans to integrate GitHub with npm with the intent of ...