npm's Security Dilemma: How Malicious Packages Exploit Openness and the Path Forward

Jun 2, 2025 · 3 min read · The discovery of malicious npm packages like xlsx-to-json-lh—a six-year-old typosquatting artifact mimicking the legitimate xlsx-to-json-lc—alongside broader campaigns involving 60+ packages, underscores systemic vulnerabilities in npm's security mod...