GitHub proposal for Sigstore adoption faces backlash from developers
Developers object to GitHub's suggestion to use Sigstore to enhance network security by connecting npm packages to their inputs.
GitHub, which runs the npm package management system, is offering to incorporate new security features to npm because npm is regularly used by many JavaScript and Typ... Read more
17 malicious packages found in Node.js Package Manager (NPM)
Another 17 malicious packages have been discovered in an open-source repository by researchers. In recent times, it has become clearer that these repositories can, have been, and will continue to be used to spread malware.
The malicious code was found in NPM, where 11 million developers trade mo... Read more
Security warnings in ‘npm audit’ are distracting developers
Dan Abramov, a software engineer at Facebook published a plea last week to fix a particularly problematic JavaScript security tool. Its creators agreed that it could be improved. In his blog post, Abramov said that ‘as of today, npm audit is a stain on the entire npm ecosystem.'
He added that ... Read more
GitHub buys open-source JavaScript registry npm
GitHub, part of Microsoft, is investing heavily in the open source software community. Recently, the startup and open source registry for JavaScript software packages npm was taken over.
With the takeover, the well-known open-source community gets a software package regisrty with a total of 1.3 ... Read more
Microsoft discovers malicious npm package
Microsoft has discovered a malicious npm package that steals data from Unix systems. The npm (Node Package Manager) security team for JavaScript has taken the malicious package off the air.
The malicious package is called 1337qq-js and was uploaded to the npm repository on December 30th. The pac... Read more