InfoWorld

Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud

A researcher at Koi Security says the two key platforms have not plugged the vulnerabilities enabling the worm attacks, and ‘the JavaScript ecosystem deserves better.’ Javascript developers should ...
heise online

Popular JavaScript package is: Malware through supply chain attack

Maintainer Jordan Harband writes on Bluesky that attackers had taken over the account of another project manager. Versions 3.3.1 and 5.0.0 of the package are affected. Both versions were apparently ...