Lots of people are asking why the npm and Node.js thing are so dangerous…
There are “over 3.1 million packages are available in the main npm registry”, and there’s no mechanism to review or approve the packages. 
Recent searches
Search options
#nodejs
25 posts21 participants2 posts today
You have to be shitting me. God I fucking hate npm.
I literally spent an hour trying to diagnose why the builder was "freezeing" for several minutes, and it's because it downloads thousands of packages for a project with... 20 dependencies.
Fuck NPM. Fuck JavaScript.
#Development #Analyses
Oh no, not again... · “NPM has become the easiest way to ship malware.” https://ilo.im/166ych
_____
#Microsoft #GitHub #Npm #NodeJS #JavaScript #Malware #Security #WebDev #Frontend #Backend
Look out, there's a worm in NPM that is spreading between packages. A few hundred infected so far. Be very careful with npm install in the next few days.
https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
www.aikido.devS1ngularity/nx attackers strike againThe attackers behind the nx attack have struck again, targeting a large amount of packages, with a first-of-its-kind worm payload.
Self-replicating worm hits 180+ npm packages in (largely) automated supply chain attack https://www.helpnetsecurity.com/2025/09/16/self-replicating-worm-hits-180-npm-packages-in-largely-automated-supply-chain-attack/ #supplychainattacks #AikidoSecurity #ReversingLabs #StepSecurity #JavaScript #opensource #Don'tmiss #Hotstuff #Nodejs #worms #News #Wiz
Help Net Security · Self-replicating worm hits 180+ npm packages in (largely) automated supply chain attack - Help Net Security
More from 
Zeljka Zorz
npm supply-chain attack alert
“Shai-Hulud” worm is stealing secrets & spreading via malicious packages. If you use Node/npm, audit now, rotate creds, and check GitHub for signs of compromise.
https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
#Cybersecurity #infosec #node #npm #nodejs #shaihulud #coding
wiz.io · Shai-Hulud npm Supply Chain Attack | Wiz BlogLearn how the Shai-Hulud npm worm compromised 100+ packages with data-stealing malware. See how it spreads, the risks, and steps to detect and mitigate.
Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages #NodeJS #JavaScript
So, um, how do I do the NPM equivalent of
$ cargo install --locked mergiraf
Let’s say I want to install https://www.npmjs.com/package/@google/gemini-cli — how do I prevent npm install from fetching malware-ridden dependencies that got published today, and instead have it used the locked version that the maintainers of gemini-cli have verified?
npm@google/gemini-cliGemini CLI. Latest version: 0.4.1, last published: 5 days ago. Start using @google/gemini-cli in your project by running `npm i @google/gemini-cli`. There are 11 other projects in the npm registry using @google/gemini-cli.
Continued thread
…nun noch auf Deutsch (oben englisch) zum JavaScript NPM Hack und wie dies einiges an Web-Software betrifft.
»Neuer NPM-Großangriff — Selbst-vermehrende Malware infiziert Dutzende Pakete:
Womöglich stecken hinter der Attacke dieselben Angreifer wie beim letzten Mal. Ihr Schadcode trägt den Namen eines prominenten Science-Fiction-Monsters in sich.«
heise online · Neuer npm-Großangriff: Selbst-vermehrende Malware infiziert Dutzende Pakete
More from 
Dr. Christopher Kunz
Multiple CrowdStrike packages trojanized in an ongoing npm supply chain attack: This is the same campaign that hit Tinycolor yesterday with identical malware.
Full list of compromised packages + mitigations →
https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages #NodeJS #JavaScript
Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.
Our analysis of the malware: https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
After recent npm supply chain attacks, @pnpm 10.16 adds a setting for delayed dependency updates.
Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.
https://socket.dev/blog/pnpm-10-16-adds-new-setting-for-delayed-dependency-updates #NodeJS
Learning web development: Authenticating users with plain Node.js
https://2ality.com/2025/09/authenticating-users-nodejs.html
2ality.comLearning web development: Authenticating users with plain Node.jsIn this chapter, we learn how to write a server that lets users log in via passwords. That process is called authentication.
Pourquoi il est préférable d'importer les modules natifs de Node avec le préfixe `node:`, par exemple :
```js
import fs from 'node:fs';
```
https://nodevibe.substack.com/p/why-you-want-to-use-prefixed-nodejs
Node Vibe · Why you want to use prefixed Node.js import for built-in modules
Après UDP, voici une description de comment fonctionne Node avec TCP.
https://nodevibe.substack.com/p/tcp-and-nodejs-server-internals-a
Node Vibe · TCP and Node.js Server Internals: A Deep Technical Dive
How to Keep package.json Under Control, by @tmcw (@val.town):
blog.val.townHow to keep package.json under controlUpdates and articles from the Val Town team
Envoyer et recevoir des requêtes UDP avec Node.js, grâce au module `node:dgram`.
L'article insiste néanmoins que Node n'est probablement pas le meilleur choix si votre choix de UDP est lié à un besoin de performances, à cause du coût des différentes couches d'abstraction.
https://nodevibe.substack.com/p/udp-in-nodejs-deep-technical-guide
Node Vibe · UDP in Node.js: deep technical guide
Learning Web Development: JSON and Processing Files in Node.js, by @rauschma:
https://2ality.com/2025/08/javascript-json-processing-files.html
2ality.comLearning web development: JSON and processing files in Node.jsIn this chapter, we explore the popular data format JSON. And we implement shell commands via Node.js that read and write files.