Where
-Infinity
0

Trending

Last week
Last month
Last year

Vendor Risk Score

See how npm compares to other vendors in security performance

View Risk Score →

npm/cli(0Day) npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

Risk 69
Severity
7.8
First published (updated )
CVE-2026-0775

npm/cli(0Day) npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

Risk 69
Severity
7.8
First published (updated )
Advisory
ZDI-26-043

npm/cliZDI-26-043: (0Day) npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

Risk 69
Severity
7.8
First published (updated )
ZDI-CAN-25430

The RegisterPoisoned WhatsApp API package steals messages and accounts

First published (updated )
News
The Register

BleepingComputerShai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

First published (updated )
News
BleepingComputer
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

npm body-parserbody-parser vulnerable to denial of service when url encoding is used

Risk 28
Severity
5.5
First published (updated )
CVE-2025-13466

BleepingComputerShai-Hulud malware infects 500 npm packages, leaks secrets on GitHub

First published (updated )
News
BleepingComputer

The RegisterShai-Hulud worm returns, belches secrets to 25K GitHub repos

First published (updated )
News
The Register

BleepingComputerMalicious NPM packages abuse Adspect redirects to evade security

First published (updated )
News
BleepingComputer

The RegisterCrims poison 150K+ npm packages with token-farming malware

First published (updated )
News
The Register
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

npm expr-evalnpm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eva…

Risk 51
Severity
7.3
First published (updated )
CVE-2025-13204

BleepingComputerNew ‘IndonesianFoods’ worm floods npm with 100,000 packages

First published (updated )
News
BleepingComputer

BleepingComputerNew ‘IndonesianFoods’ spammer floods npm with 150,000 packages

First published (updated )
News
BleepingComputer

BleepingComputerPopular JavaScript library expr-eval vulnerable to RCE flaw

Exploited
First published (updated )
News
BleepingComputer

The RegisterInvisible npm malware pulls a disappearing act – then nicks your tokens

First published (updated )
News
The Register
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

BleepingComputerMalicious NPM packages fetch infostealer for Windows, Linux, macOS

First published (updated )
News
BleepingComputer

BleepingComputerPhantomRaven attack floods npm with credential-stealing packages

First published (updated )
News
BleepingComputer

The RegisterFake Postmark MCP npm package stole emails with one-liner

First published (updated )
News
The Register

BleepingComputerUnofficial Postmark MCP npm silently stole users' emails

First published (updated )
News
BleepingComputer

BleepingComputerGitHub tightens npm security with mandatory 2FA, access tokens

First published (updated )
News
BleepingComputer
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

ZDNet5 ways to spot software supply chain attacks and stop worms - before it's too late

First published (updated )
News
ZDNet

npm nx packageMalicious versions of the nx package, as well as some supporting plugin packages, were published to …

Risk 33
Severity
7
First published (updated )
REDHAT-BUG-2396282

Parceljs Parcelnpm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites c…

Risk 37
Severity
6.5
First published (updated )
CVE-2025-56648

The RegisterSelf-propagating worm fuels latest npm supply chain attack

First published (updated )
News
The Register
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

npm node-ipSSRF

Risk 18
Severity
3.2
First published (updated )
CVE-2025-59436

npm ipSSRF

Risk 18
Severity
3.2
First published (updated )
CVE-2025-59437

npm color-namecolor-name@2.0.1 contains malware after npm account takeover

Risk 57
Severity
8.8
First published (updated )
CVE-2025-59145

npm is-arrayishis-arrayish@0.3.3 contains malware after npm account takeover

Risk 57
Severity
8.8
First published (updated )
CVE-2025-59331

npm color-convertcolor-convert@3.1.1 contains malware after npm account takeover

Risk 57
Severity
8.8
First published (updated )
CVE-2025-59162
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203