Copy Another malicious library has been spotted in the JavaScript-oriented NPM registry, underscoring the continued fragility of today's software supply chain. Like other software package registries – repositories of code libraries for specific tasks – NPM, which was acquired last year by Microsoft's GitHub, has proven to be an effective mechanism for spreading malicious software. Developers tend to trust the modules they download from such services and typically incorporate them into their projects without much scrutiny. On Wednesday, ReversingLabs, a software security analysis firm, said it had identified password-stealing code in the The package, maintained by an author identified as "chrunlee," debuted as a 1.0.0 release on February 28, 2019. According to ReversingLabs, the project evolved to include remote shell functionality over the next several versions and late last year gained password-stealing capabilities with its 1.1.0 release.