The Hacker News

GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

npm 12 disables install scripts by default, requiring explicit approval to reduce dependency-based code execution risks.
Bleeping Computer

NPM ecosystem at risk from “Manifest Confusion” attacks

The NPM (Node Package Manager) registry suffers from a security lapse called "manifest confusion," which undermines the trustworthiness of packages and makes it possible for attackers to hide malware ...