Security News > 2022 > February > Worried about occasional npm malware scares? It's more common than you may think

WhiteSource, a security firm based in Israel, says that in 2021, it detected 1,300 malicious npm packages.

The npm registry is an online repository for distributing code packages that provide ready-made functions to developers using JavaScript and related languages.

The potential for damage is significant because npm packages often include other packages as dependencies, so a given app may have several layers of potential attack surface.

As one 2019 study [PDF] found, "Installing an average npm package introduces an implicit trust on 79 third-party packages and 39 maintainers."

The npm registry receives some 17,000 new packages daily or 6.2 million over the course of a year.

While finding 1,300 bad apples among the new and the preexisting packages during that time period shows that poisoned packages are rather rare overall, there's still reason to be concerned given the consequences of being victimized.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/02/03/npm_malware_report/