The npm Public Registry, a database of JavaScript packages, fails to compare npm package manifest data with the archive of files that data describes, creating an opportunity for the installation and execution of malicious files. In a blog post published on Tuesday, Darcy Clarke, who was staff engineering manager for the npm CLI (command line interface) team from July 2019 through December 2022, calls this “manifest confusion”

Source: The Register