Lots of people are asking why the npm and Node.js thing are so dangerous…
There are “over 3.1 million packages are available in the main npm registry”, and there’s no mechanism to review or approve the packages.
Lots of people are asking why the npm and Node.js thing are so dangerous…
There are “over 3.1 million packages are available in the main npm registry”, and there’s no mechanism to review or approve the packages.
You have to be shitting me. God I fucking hate npm.
I literally spent an hour trying to diagnose why the builder was "freezeing" for several minutes, and it's because it downloads thousands of packages for a project with... 20 dependencies.
Fuck NPM. Fuck JavaScript.
#Development #Analyses
Oh no, not again... · “NPM has become the easiest way to ship malware.” https://ilo.im/166ych
_____
#Microsoft #GitHub #Npm #NodeJS #JavaScript #Malware #Security #WebDev #Frontend #Backend
Look out, there's a worm in NPM that is spreading between packages. A few hundred infected so far. Be very careful with npm install in the next few days.
https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
Self-replicating worm hits 180+ npm packages in (largely) automated supply chain attack https://www.helpnetsecurity.com/2025/09/16/self-replicating-worm-hits-180-npm-packages-in-largely-automated-supply-chain-attack/ #supplychainattacks #AikidoSecurity #ReversingLabs #StepSecurity #JavaScript #opensource #Don'tmiss #Hotstuff #Nodejs #worms #News #Wiz
npm supply-chain attack alert
“Shai-Hulud” worm is stealing secrets & spreading via malicious packages. If you use Node/npm, audit now, rotate creds, and check GitHub for signs of compromise.
https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
#Cybersecurity #infosec #node #npm #nodejs #shaihulud #coding
Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages #NodeJS #JavaScript
So, um, how do I do the NPM equivalent of
$ cargo install --locked mergiraf
Let’s say I want to install https://www.npmjs.com/package/@google/gemini-cli — how do I prevent npm install
from fetching malware-ridden dependencies that got published today, and instead have it used the locked version that the maintainers of gemini-cli have verified?
…nun noch auf Deutsch (oben englisch) zum JavaScript NPM Hack und wie dies einiges an Web-Software betrifft.
»Neuer NPM-Großangriff — Selbst-vermehrende Malware infiziert Dutzende Pakete:
Womöglich stecken hinter der Attacke dieselben Angreifer wie beim letzten Mal. Ihr Schadcode trägt den Namen eines prominenten Science-Fiction-Monsters in sich.«
Multiple CrowdStrike packages trojanized in an ongoing npm supply chain attack: This is the same campaign that hit Tinycolor yesterday with identical malware.
Full list of compromised packages + mitigations →
https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages #NodeJS #JavaScript
Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.
Our analysis of the malware: https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
After recent npm supply chain attacks, @pnpm 10.16 adds a setting for delayed dependency updates.
Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.
https://socket.dev/blog/pnpm-10-16-adds-new-setting-for-delayed-dependency-updates #NodeJS
Learning web development: Authenticating users with plain Node.js
https://2ality.com/2025/09/authenticating-users-nodejs.html
Pourquoi il est préférable d'importer les modules natifs de Node avec le préfixe `node:`, par exemple :
```js
import fs from 'node:fs';
```
https://nodevibe.substack.com/p/why-you-want-to-use-prefixed-nodejs
Après UDP, voici une description de comment fonctionne Node avec TCP.
https://nodevibe.substack.com/p/tcp-and-nodejs-server-internals-a
How to Keep package.json Under Control, by @tmcw (@val.town):
Envoyer et recevoir des requêtes UDP avec Node.js, grâce au module `node:dgram`.
L'article insiste néanmoins que Node n'est probablement pas le meilleur choix si votre choix de UDP est lié à un besoin de performances, à cause du coût des différentes couches d'abstraction.
https://nodevibe.substack.com/p/udp-in-nodejs-deep-technical-guide
Learning Web Development: JSON and Processing Files in Node.js, by @rauschma:
https://2ality.com/2025/08/javascript-json-processing-files.html