Bleeping Computer

NPM fixes private package names leak, serious authorization bug

The largest software registry of Node.js packages, npm, has disclosed multiple security flaws that were identified and remedied recently. The first flaw concerns leak of names of private npm packages ...
Dark Reading

'Revival Hijack' on PyPI Disguises Malware With Legitimate File Names

Security researchers have discovered a simple and troubling way for attackers to distribute malicious payloads via the PyPI package repository. All that the technique involves is re-registering a ...
Dark Reading

Novel npm Timing Attack Allows Corporate Targeting

A novel timing attack has emerged for targeting private corporate software packages hosted in the npm code repository. The goal is to uncover the legitimate offerings and then create malicious public ...
TechRadar

Mitigating the risks of package hallucination and 'slopsquatting'

In 2024, cybersecurity experts started to warn of a new threat to the software supply chain. Named 'slopsquatting', it is a type of cyber attack where bad actors create fake packages containing ...
InfoWorld

Java 101: Packages organize classes and interfaces

As an alternative to rewriting the same code, many software development environments provide a library tool that organizes frequently used code. Once developers finish debugging some reusable code, ...