JavaScript registry npm vulnerable to 'manifest confusion' abuse

Failure to match metadata with packaged files presents supply chain vulnerability

The npm Public Registry, a database of JavaScript packages, fails to compare npm package manifest data with the archive of files that data describes, creating an opportunity for the installation and execution of malicious files.…

from The Register