Hackers breach Toptal GitHub account, publish malicious npm packages
Hackers compromised Toptal's GitHub organization account and used their access to publish ten malicious packages on the Node Package Manager (NPM) index. [...]
Node.js security covers vulnerabilities, dependency risks, and runtime defenses that can affect server-side applications and their data.
Search across headline titles and summaries.
Background for this topic.
Node.js is an open-source, cross-platform runtime that executes JavaScript outside a web browser, using Google’s V8 engine. Its event-driven, non-blocking input/output model is widely used for web servers, APIs, command-line tools, and backend services. The runtime is not itself an application framework; security outcomes depend substantially on the code and modules running within it.
Security concerns include vulnerabilities in the Node.js runtime, insecure application logic such as injection or server-side request forgery, and risks from the large npm dependency ecosystem. Malicious or compromised packages, unsafe install scripts, transitive dependencies, and prototype-pollution flaws can expand an application’s attack surface. Practitioners should track runtime and package advisories, use lockfiles and dependency review, restrict package-install and process permissions where practical, validate untrusted input, and protect credentials and session data. During incidents, dependency inventories and build records help determine whether a vulnerable module or runtime was deployed.
Hackers compromised Toptal's GitHub organization account and used their access to publish ten malicious packages on the Node Package Manager (NPM) index. [...]
The "is" package was infected with cross-platform malware after a scam targeting maintainers The popular npm package "is" was infected with cross-platform malware, around the same time that linting utility packages used with the prettier code formatter were infected with Windows-only malware.…
The popular NPM package 'is' has been compromised in a supply chain attack that injected backdoor malware, giving attackers full access to compromised devices. [...]
npm has taken down all versions of the Stylus library and replaced them with a "security holding" page, breaking pipelines and builds worldwide that rely on the package. [...]