Popular JavaScript libraries eslint-config-prettier and eslint-plugin-prettier were hijacked this week and turned into ...

“We discovered a 500-package limit for GitHub packages for any user other than an organizational admin. ... as going public with security-related problems isn’t always a viable option.

npm packages hit by phishing-based supply chain attack, exposing developers to malware and remote access threats.

Security researchers have uncovered two new malicious packages on the npm open source package manager that utilized GitHub to store stolen Base64-encrypted SSH keys taken from developer systems. These ...

GitHub is struggling to contain an ongoing attack that’s flooding the site with millions of code repositories. These repositories contain obfuscated malware that steals passwords and ...

A security researcher and system administrator has developed a tool that can help users check for manifest mismatches in packages from the NPM JavaScript software registry.

GitHub, which itself is owned by Microsoft, announced on Monday that it plans to support code signing, a sort of digital wax seal, for npm software packages using the code-signing platform Sigstore.

Essentially, this means that JFrog Advanced Security and JFrog Curation, its service for tracking which open source packages are being used by developers, is now integrated directly with GitHub ...

GitHub is now also a CVE CNA and can issue its own CVE numbers for bugs disclosed in projects hosted on the platform.

With these new tools, GitHub is working to address security issues at a vast scale. Though not all open source projects rely on GitHub, the majority do, and the platform is as much a social ...

GitHub Package Registry supports package management tools including NPM, Maven, and NuGet as well as Docker images. Also, multiple software package types can be hosted in one registry.