Best of NPMDecember 2025

  1. 1
    Article
    Avatar of infoworldInfoWorld·21w

    WhatsApp API worked exactly as promised, and stole everything

    A malicious npm package called "lotusbail" masqueraded as a legitimate WhatsApp Web API library for six months, accumulating over 56,000 downloads. The package functioned correctly while secretly stealing messages, credentials, and contact data through a proxy layer that intercepted all operations. It used four layers of obfuscation and RSA encryption to exfiltrate data to attacker-controlled servers. Most critically, it exploited WhatsApp's multi-device pairing to maintain persistent access even after package removal, requiring manual device unlinking. The package remains available on npm, highlighting the limitations of traditional security checks against supply-chain attacks that mimic legitimate behavior.

  2. 2
    Article
    Avatar of devblogsDevBlogs·23w

    Previewing the JavaScript/TypeScript Modernizer for VS Code Insiders

    Microsoft introduces the JavaScript/TypeScript Modernizer, an AI-powered VS Code extension that automates upgrading npm packages and fixing breaking changes in JS/TS projects. Available in VS Code Insiders as part of the GitHub Copilot App Modernization extension, it analyzes package.json files, proposes upgrade plans, updates dependencies to latest versions, and suggests necessary code changes through an interactive Copilot Chat experience. The tool requires VS Code Insiders, Node.js/npm, GitHub Copilot access, and enabling an experimental feature flag. Currently in preview with limitations including single-project support and potential rough edges.

  3. 3
    Article
    Avatar of socketdevSocket·24w

    npm Sees Surge of Auto-Generated “elf-stats” Packages Publis...

    Socket's Threat Research Team discovered over 420 automated malicious packages published to npm following an "elf-stats" naming pattern. These packages were published every two minutes from newly created accounts and contained simple malware variants. npm has begun removing the affected packages, but the automated publishing continues with new variations appearing. Developers should avoid installing any packages matching the elf-stats-* pattern until they can be verified as safe.

See all NPM archives