Ars Technica

Malicious packages sneaked into NPM repository stole Discord tokens

My employer requires every upstream package, and every dependency, to go to the security team for review and approval before it can even be used. We then need to get another approval for long-term ...
CNBC

Microsoft's GitHub agrees to buy code-distribution start-up Npm

Npm Inc. runs a service many developers use to install software on computers. Microsoft-owned GitHub said it will continue to operate the Npm public registry for distributing JavaScript code.
ZDNet

Malicious npm packages caught installing remote access trojans

The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers ...
Bleeping Computer

Compromised JavaScript Package Caught Stealing npm Credentials

A hacker has gained access to a developer's npm account and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the ...