Tens of thousands of developers using weak credentials to secure their npm accounts inadvertently put more than half of the npm packages (JavaScript libraries and tools) at risk of getting hijacked and used to deploy malicious code to legitimate applications that use them in their build process.
npm Inc, the company that runs the npm package manager, has addressed the issue at the start of June by triggering password reset operations for all affected users.
Initially, there was a lot of confusion about npm Inc's actions, and many believed the organization might have been breached. It was only over the last weekend when we discovered the real reason behind the massive npm account password resets that took place at the start of the month.
Full Article.