npm Threat Report

What’s in the report?

Learn how the most popular JavaScript package manager – npm – is being used by malicious actors to launch attacks, run botnets, and steal credentials and crypto.

Why should you care about malicious npm activity?

JavaScript is the most commonly used programming language globally, and 68% of developers depend upon it to create rich online functionality. With an average of 32,000 new npm packages published per month in 2021, attackers are using the popularity of npm to hide their nefarious behavior and launch attacks. In just six months, more than 1,300 malicious npm packages have been identified and reported by WhiteSource Diffend, making it vital for developers to understand what attackers are doing and how they can remediate issues without slowing down the development process.

Read this report to:

• Gain insight into our findings of the 1,300 malicious npm packages identified by WhiteSource Diffend
• Learn how threat actors are using npm to launch attacks –and how to stop them
• Explore how npm impacts the software supply chain
• Discover best practices to thwart npm attacks