Social engineering campaign targeting tech employees spreads through NPM malware

Our great sponsors

SurveyJS - Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App

InfluxDB - Power Real-Time Data Analytics at Scale

WorkOS - The modern identity platform for B2B SaaS

Our great sponsors

registry

7 431 0.0

npm registry documentation

More important than the namespace is who published the package. I'm more inclined to trust an individual I know who takes security than a namespace that may change hands.
NPM exposes that info in the _npmUser field: https://github.com/npm/registry/blob/master/docs/REGISTRY-AP.... That gives "name" (NPM username) and email.
While there are thousands of packages, I bet there's a much smaller number of publishers to worry about.

birdcage

13 172 7.3 Rust

Cross-platform embeddable sandboxing

We (https://phylum.io) actually open sourced our sandbox for this exact purpose.
https://github.com/phylum-dev/birdcage
It's baked into our CLI and supports limiting access to network, disk, etc. during package installation. For example, running something like
    phylum npm install react

SurveyJS

surveyjs.io sponsored

Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
conf

4 1,186 5.1 TypeScript

Simple config handling for your app or module

Wow. There is even one package to not use a JavaScript object: https://www.npmjs.com/package/conf

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project