|Original author(s)||Isaac Z. Schlueter|
|Developer(s)||Rebecca Turner, Kat Marchán, others|
|Initial release||January 12, 2010|
6.4.1 / 29 August 2018
|License||Artistic License 2.0|
- In February 2018, an issue was discovered in version 5.7.1 in which running 'sudo npm' on Linux systems would change the ownership of system files, permanently breaking the operating system.
- In July 2018, the npm credentials of a maintainer of the popular
eslint-scopepackage were compromised resulting in a malicious release of
3.7.2. The malicious code copies the npm credentials of the machine running
eslint-scopeand uploads them to the attacker. 
- In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package
event-stream. The malicious package, called
flatmap-stream, contained an encrypted payload that steals bitcoins from certain applications. npm administrators responded by removing the offending package. 
In npm version 6, the audit feature was introduced to help developers identify and fix vulnerability and security issues in installed packages. The source of security issues were taken from reports found on the Node Security Platform (NSP), and has been integrated with npm since npm's acquisition of NSP.
- "Earliest releases of npm". GitHub. Retrieved 27 July 2016.
- "Release v6.4.1 · npm/npm". GitHub. 2018-08-29.
- "kik, left-pad, and npm". Retrieved 9 May 2017.
- "changes to unpublish policy". Retrieved 9 May 2017.
- "Critical Linux filesystem permissions are being changed by latest version". GitHub. Retrieved 25 February 2018.
- "Virus in eslint-scope".
- "Details about the event-stream incident". The npm Blog. Retrieved 28 Nov 2018.
- "Backdoored dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2". Github. Retrieved 28 Nov 2018.
- Dierx, Peter (30 March 2016). "A Beginner's Guide to npm — the Node Package Manager". sitepoint. Retrieved 22 July 2016.
- Ampersand.js. "Ampersand.js - Learn". ampersandjs.com. Retrieved 22 July 2016.
- Ojamaa, Andres; Duuna, Karl (2012). "Assessing the Security of Node.js Platform". IEEE Xplore. Retrieved 22 July 2016.
- Kennedy, Hugh; DeVay, Paul. "Understanding npm". Nsight. Retrieved 22 July 2016.
- "npm Code of Conduct: acceptable package content". Retrieved 9 May 2017.
- Vorbach, Paul. "npm-stat: download statistics for NPM packages". npm-stat.com.
- npm. "`npm audit`: identify and fix insecure dependencies". The npm Blog. Retrieved 14 August 2018.
- npm. "The Node Security Platform service is shutting down 9/30". The npm Blog. Retrieved 14 August 2018.
- Ellingwood, Justin. "How To Use npm to Manage Node.js Packages on a Linux Server". DigitalOcean. Retrieved 22 October 2016.
- "npm-install". docs.npmjs. Retrieved 22 October 2016.
- "semver". docs.npmjs. Retrieved 22 October 2016.
- "npm-version". docs.npm. Retrieved 29 October 2016.
- Koirala, Shivprasad (21 Aug 2017). "What is the need of package-lock.json in Node?". codeproject.
- "Hello, Yarn!". The npm Blog. 11 October 2016. Retrieved 17 December 2016.
- Katz, Yehuda (11 October 2016). "Why I'm working on Yarn". Retrieved 17 December 2016.