If you find malware in an npm package (either yours or someone else's), you can report it to the npm Security team to help keep the Javascript ecosystem safe.
Note: Vulnerabilities in npm packages should be reported directly to the package maintainers. We strongly advise doing this privately. You can find contact information about package maintainers with npm owner ls <package-name>
. If the source code is hosted on GitHub please refer to the repository's Security Policy.
Malware is a major concern for npm Security and we have removed hundreds of malicious packages from the registry. For every malware report we receive, npm Security takes the following actions:
As part of our process we determine whether the user account who uploaded the package should be banned. We also cooperate with 3rd parties when applicable.
© npm, Inc. and Contributors
Licensed under the npm License.
npm is a trademark of npm, Inc.
https://docs.npmjs.com/reporting-malware-in-an-npm-package