Node.js

Node.js is an open-source JavaScript runtime that lets developers execute JavaScript outside the browser, on servers and development machines. Ryan Dahl created Node.js in 2009 to bring JavaScript's event-driven, non-blocking model to backend application development. The project is now maintained by the OpenJS Foundation, a vendor-neutral governance body. Node.js is the de facto runtime for most modern web applications, microservices, and command-line tools. The npm (Node Package Manager) registry, maintained separately, distributes over 2 million third-party libraries that developers install via `npm install` commands during development and build time. This split—the runtime maintained by OpenJS, the package registry operated by npm Inc (a GitHub subsidiary)—makes Node.js a critical dependency for the modern development toolchain.

On 29 April 2026, official SAP npm packages were compromised in the TeamPCP supply-chain attack, stealing developer credentials and authentication tokens from engineers running `npm install` . SAP, a top-tier enterprise software vendor, ships npm packages for its developer-tooling suite; engineers building applications that integrate with SAP systems run these packages as a trusted installation step. The TeamPCP compromise represents the first direct hit against a major vendor's official npm packages in this threat cycle. In the same thirteen-day window, GlassWorm malware turned 73 dormant Visual Studio Code extensions malicious, and a PyPI package with 1.1 million monthly downloads distributed infostealer malware. The pattern is structural: the developer toolchain (package managers like npm and pip, extension registries, build-time dependencies) has become a primary lateral-movement substrate. For organisations with engineers running `npm install` against public registries without build-time controls (lockfile pinning, allow-listed registries, signed manifests), the risk profile has materially worsened.