A major vulnerability has been discovered in Node.js package manager (npm).
The attack is pretty simple and is detailed in the SOFTPEDIA article. The npm system leaves authors logged in by default and requires you to log out. If someone writes a malicious module and uploads it to NPM, when another user downloads it and is also an author, the malicious package can now upload itself to all the authors module, causing it to spread.
Hopefully the team over at Node.js / npm is working on fix. The easiest solution would be to remove the always logged in feature and re-require authentication when uploading modules to the npm registry.