Reporting malware in an npm package

If you find malware in an npm package (either yours or someone else's), you can report it to the npm Security team to help keep the Javascript ecosystem safe.

Note: Vulnerabilities in npm packages should be reported directly to the package maintainers. We strongly advise doing this privately. You can find contact information about package maintainers with npm owner ls <package-name>. If the source code is hosted on GitHub please refer to the repository's Security Policy.

How npm Security handles malware

Malware is a major concern for npm Security and we have removed hundreds of malicious packages from the registry. For every malware report we receive, npm Security takes the following actions:

  1. Confirm validity of the report.
  2. Remove the package from the registry.
  3. Publish a security placeholder for the package.
  4. Publish a security advisory alerting the community.

As part of our process we determine whether the user account who uploaded the package should be banned. We also cooperate with 3rd parties when applicable.

Reporting malware

  1. Gather information about the malware.
  2. On the package page, click Report malware.
  3. On the malware report page, provide information about yourself and the malware:
    • Name: Your name.
    • Email address: An email address the npm Security team can use to contact you.
    • Package name: The name of the package that contains the malware.
    • Package version: The version of the package that contains the malware. Include all affected versions.
    • Description of the malware: A brief description of the malware and its effects. Include references, commits, and/or code examples that would help our researchers confirm the report.
  4. Click Send Report.