npm Threat Report:

Popular JavaScript Package Registry Is a Playground For Malicious Actors

What’s in the report?

Learn how the most popular JavaScript package managers – npm – is being used by malicious actors to launch attacks, run botnets, and steal credentials and crypto.

Why should you care about malicious npm activity?

JavaScript is the most commonly used programming language globally, and 68 percent of developers depend upon it to create rich online functionality. With an average of 32,000 new npm packages published per month in 2021, attackers are using the popularity of npm to hide their nefarious behavior and launch attacks. In just six months, more than 1,300 malicious npm packages have been identified and reported by Mend Supply Chain Defender, making it vital for developers to understand what attackers are doing and how they can remediate issues without slowing down the development process.


Read this report to:

  • Gain insight into our findings of the 1,300 malicious npm packages identified by Mend Supply Chain Defender
  • Learn how threat actors are using npm to launch attacks–and how to stop them
  • Explore how npm impacts the software supply chain
  • Discover best practices to thwart npm attacks