GitHub moves to tighten npm security amid phishing, malware plague

stapp · Sep 23, 2025 at 9:33 AM

GitHub, which owns the npm registry for JavaScript packages, says it is tightening security in response to recent attacks.
September has been a bad month for npm with phishing attacks on package maintainers and hundreds of packages infected by secret-stealing malware.
GitHub security lab lead Xavier René-Corail said that more than 500 compromised packages have been removed and others blocked from upload by security scanning.
Click to expand...

https://www.theregister.com/2025/09/23/github_npm_registry_security/

ronjor · Sep 23, 2025 at 8:36 PM

Widespread Supply Chain Compromise Impacting npm Ecosystem

Release Date September 23, 2025
CISA is releasing this Alert to provide guidance in response to a widespread software supply chain compromise involving the world’s largest JavaScript registry, npmjs.com. A self-replicating worm—publicly known as “Shai-Hulud”—has compromised over 500 packages.
Click to expand...

Log in or Sign up

GitHub moves to tighten npm security amid phishing, malware plague

stapp Global Moderator

ronjor Global Moderator

Log in or Sign up

GitHub moves to tighten npm security amid phishing, malware plague

stapp Global Moderator

ronjor Global Moderator

Useful Searches