DevOps security firm JFrog released three open source security tools in response to recent issues with software registry npm to help JavaScript developers detect and prevent the installation of problematic packages.

Software supply chain attacks are becoming a big problem in the open source software ecosystem, with attackers sneaking information stealers, keyloggers, and other types of malware into package managers and repositories, such as npm, RubyGems, and PyPi. In many cases, the packages containing the malicious code have names similar to well-known, legitimate packages. In other cases, the packages themselves have been tampered with. Last week, the maintainer behind two widely used JavaScript libraries intentionally corrupted colors.js and faker.js, causing problems with tens of thousands of JavaScript applications relying on those packages.