Thousands of developers who publish JavaScript packages in the npm repository have had their passwords reset since May because their login credentials were too weak or had been publicly exposed. The affected accounts were in control of tens of thousands of Node.js modules that, in turn, were direct or indirect dependencies for half of the entire npm ecosystem.
The incident highlights why developers need to improve their security posture and practices, especially since it is estimated that more than 80 percent of any modern application consists of open-source code, most of it consumed from component repositories.
The npm registry, which is the main source of Node.js modules, hosts almost half a million JavaScript packages — building blocks that are used by developers from around the world to develop everything from websites and mobile apps to APIs for controlling internet-of-things devices and robots.
Read more at The New Stack