Socket’s threat researchers have uncovered a package lurking in npm for six years that awaits a remote command to wipe projects. The culprit? A package called xlsx-to-json-lh, which mimics the legitimate xlsx-to-json-lc package. Notice the difference? Just one letter separates them, a ‘h’ instead of a ‘c’ – an easy mistake for even careful developers… Read more »
The post Package lurking in npm for six years waits to destroy your work appeared first on Developer Tech News.