InfoWorld

Malicious npm package sneaks into GitHub Actions builds

The typosquatted “@acitons/artifact” package targeted GitHub’s CI/CD workflows, stealing tokens and publishing malicious ...

Popular JavaScript library expr-eval vulnerable to RCE flaw

A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be ...
The Hacker News

Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack

The coordinated campaign has so far published as many as 46,484 packages, according to SourceCodeRED security researcher Paul ...
InfoWorld

Worm flooding npm registry with token stealers still isn’t under control

Goal is to steal Tea tokens by inflating package downloads, possibly for profit when the system can be monetized.