ResearchBuzz: FirehoseNov 26

How-To Geek: NPM packages are infected with malware, again. “It should be noted that the issue actually seems to spill over into the Maven ecosystem. Researchers observed that the malicious payload was present in org.mvnpm:posthog-node, a Maven artifact automatically generated from npm packages. This confirms that the automated bridging of software ecosystems can inadvertently bridge security […]

https://rbfirehose.com/2025/11/26/how-to-geek-npm-packages-are-infected-with-malware-again/

How-To Geek: NPM packages are infected with malware, again | ResearchBuzz: Firehose

ResearchBuzz: Firehose | Individual posts from ResearchBuzz
N-gated Hacker NewsNov 24
🐛 Oh joy, another thrilling episode of "Whack-a-Mole: Software Edition," where 300+ NPM packages show us that open source security is an oxymoron! 🎉 #HelixGuard struts in with their clipboard and magnifying glass, ready to save the day—right after the damage is done. 🔍📝
https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24 #openSourceSecurity #NPMpackages #softwareVulnerabilities #cybersecurity #HackerNews #ngated
HelixGuard

Supply chain security, vulnerability intelligence, and malware detection.

Soatok DreamseekerNov 19

Moving Beyond the NPM elliptic Package

If you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published a post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof.

http://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/

#npm #crypto #cryptography #elliptic #security #infosec #cve #mitigation #appsec #javascript #js #npm #npmsecurity #npmpackages

Moving Beyond the NPM elliptic Package - Dhole Moments

If you’re in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node…

Dhole Moments
GrahamNov 11

There's a new release for bgg-client, my JavaScript library for making it easier to use the BoardGameGeek API in your apps!

I've added validation, and have done a lot of work behind the scenes to ensure data integrity, more consistent typing, and better type-safety.

https://www.npmjs.com/package/bgg-client

#webdev #javascript #typescript #NPMPackages #boardgames

bgg-client

![NPM Version](https://img.shields.io/npm/v/bgg-client) ![NPM Downloads](https://img.shields.io/npm/dm/bgg-client) ![npm bundle size](https://img.shields.io/bundlephobia/min/bgg-client) ![GitHub License](https://img.shields.io/github/license/ghall89/bgg-c. Latest version: 2.0.0, last published: 5 minutes ago. Start using bgg-client in your project by running `npm i bgg-client`. There are no other projects in the npm registry using bgg-client.

npm
GrahamOct 28

Just dropped a new release of bgg-client with a breaking change:

An API key from BoardGameGeek is now required.

https://www.npmjs.com/package/bgg-client

#webdev #javascript #NPMPackages #boardgames

bgg-client

![NPM Version](https://img.shields.io/npm/v/bgg-client) ![NPM Downloads](https://img.shields.io/npm/dm/bgg-client) ![npm bundle size](https://img.shields.io/bundlephobia/min/bgg-client) ![GitHub License](https://img.shields.io/github/license/ghall89/bgg-c. Latest version: 2.0.0, last published: 5 minutes ago. Start using bgg-client in your project by running `npm i bgg-client`. There are no other projects in the npm registry using bgg-client.

npm
N-gated Hacker NewsOct 27
🎩✨ "Let the little guys in," they say, as if trusting your bank account and ChatGPT with any random npm package is the next big thing! 🤡 Here’s a revolutionary thought: instead of locking down data, let’s just open the floodgates and watch as the personalized web devolves into majestic chaos. 🚀🌐
https://arjun.md/little-guys #OpenData #WebChaos #npmPackages #TrustInTech #PersonalizedWeb #HackerNews #ngated
Let the little guys in: Towards a context sharing runtime for the personalised web | Arjun Khoosal

Arjun's website :)

OOTSSep 4, 2025

A colleague pointed me to this:
https://www.reversinglabs.com/blog/ethereum-contracts-malicious-code

TLDR: Some #malware in fake #npmpackages downloaded and executes commands stored in an #Ethereum #smartcontract , effectively abusing the contract as a command-and-control server.

#npm #smartcontracts

Ethereum smart contracts used to push malicious code on npm | ReversingLabs

RL discovered how the contracts were abused — and how this incident is part of a larger campaign to promote malicious packages on top repositories.

ReversingLabs
Rene RobichaudSep 3, 2025

Malicious npm Packages Exploit Ethereum Smart Contracts
https://www.infosecurity-magazine.com/news/malicious-npm-packages-exploit/

#Infosec #Security #Cybersecurity #CeptBiro #NpmPackages #Exploit #Ethereum #SmartContracts

Malicious npm Packages Exploit Ethereum Smart Contracts

A malicious campaign using Ethereum smart contracts has been observed targeting developers via npm and GitHub

Infosecurity Magazine
Rene RobichaudJul 22, 2025

Scavenger Malware Compromises Popular npm Packages to Target Developers
https://gbhackers.com/scavenger-malware-compromises-popular-npm-packages/

#Infosec #Security #Cybersecurity #CeptBiro #Scavenger #Malware #npmPackages #Developers

Scavenger Malware Compromises Popular npm Packages to Target Developers

The well-known npm package eslint-config-prettier was released without authorization, according to several GitHub users.

GBHackers Security | #1 Globally Trusted Cyber Security News Platform
Ab SattarJul 8, 2025
i keep forgetting to update packages whom i dont use often, cons of installing packages as standalone, but still way easier than rebuilding packages from source after every major update.
#npm #NPMPackages