#npm

NPM has introduced a new `allowScripts` opt-in install-script policy, giving users more control over whether package lifecycle scripts run during installation. This feature is designed to enhance security and privacy.

A large-scale NPM supply chain campaign involving 176 malicious packages targeted internal dependency systems. The packages were designed to evade detection by mimicking legitimate internal modules, aiming to compromise private registries and exfiltrate sensitive data from organizations.

A malware developer who created malicious NPM packages targeting Claude AI users' secrets accidentally leaked their own GitHub private token in the process. The attack was part of a supply chain campaign, but the developer's sloppiness exposed their identity and credentials. The incident highlights ongoing risks in the open-source ecosystem.

The article introduces StageClicker, a tool that simplifies setting up staged npm publishing for packages, requiring approximately one click per package to configure the workflow.

Security researchers have identified TrapDoor, a crypto-stealing malware campaign operating across three major package registries: NPM, PyPI, and Crates.io. The malicious packages target cryptocurrency wallets by stealing sensitive data during installation, highlighting the ongoing risks of supply chain attacks in open-source ecosystems.

NPM's staged publishing feature allows package authors to publish a package to a temporary staging registry before making it publicly available on the main registry. This enables testing and verification of packages in a production-like environment without immediate public visibility.

SafeDeps is a local dependency safety gate for Python, NPM, and NuGet projects. It scans project dependencies against known vulnerability databases, helping developers identify and mitigate security risks before deploying their applications.

The NPM package "get-shit-done-cc" has been renamed and rebranded as "OpenGSD," now available at opengsd.net.

A security compromise involving the Art-Template npm package was discovered, potentially affecting users of the Coruna browser exploit. The attack targeted the package's build or distribution pipeline, injecting malicious code. Users are advised to check for compromised versions and take appropriate remediation steps.

Researchers discovered a new supply chain attack targeting 34 packages across NPM, PyPI, and crates.io, with over 100 malicious versions published. The packages deploy a "TrapDoor" crypto stealer designed to exfiltrate cryptocurrency wallet credentials and sensitive data from infected systems.

The TrapDoor supply chain attack was discovered on PyPI, npm, and crates.io, using malicious packages to steal cryptocurrency from developers. The trojanized libraries exfiltrate wallet credentials and sensitive data, exploiting trust in open-source registries.

@qocial/tour is a lightweight, open-source, zero-dependency SDK for building app tours and user onboarding flows, designed to guide users through application interfaces.

Machine is a tool that runs npm install and other package managers in isolated environments, preventing the need to install dependencies directly on a user's computer and avoiding associated security and clutter risks.

Socket Security reports an active supply chain attack targeting NPM, PyPI, and Crates.io package registries, warning users to verify package integrity before installation.

The post argues that supply chain attacks would be eliminated if developers checked vendor/node_modules/venv directories into version control instead of using automated dependency install steps. The author claims this removes the attack surface from malicious package updates and GitHub commit hash exploits, making all dependencies traceable.

Npmjs.com's suggestion API now requires a Cloudflare captcha, breaking the search box's autocomplete feature. Users must navigate through captcha-protected HTML search results pages before the API will function properly and return JSON suggestions again.

GitHub has introduced staged publishing for npm packages, allowing maintainers to set a future publication time for new package versions. The update also adds new install-time controls for npm, giving users more granular management over package installations. These features aim to improve release workflows and enhance security.

The article explains why developers should switch from npm to pnpm, highlighting pnpm's faster performance, efficient disk space usage with a content-addressable store, and better monorepo support through workspaces.

A developer discovered that a fraudulent LinkedIn client project they were working on contained a Remote Code Execution (RCE) backdoor hidden in an npm install script, designed to compromise their machine.

Art-template suffered a supply chain attack via NPM, with attackers controlling the repository since 2025 and loading unauthorized JavaScript from third-party domains. The incident highlights that NPM remains the package manager where such supply-chain attacks regularly occur, with developers expressing helplessness about preventing them.

The NPM registry has introduced new security measures aimed at making package publishing more secure, including mandatory two-factor authentication (2FA) for package maintainers and enhanced verification processes to reduce the risk of supply chain attacks and malicious package uploads.

A team that was hit by malicious npm packages built Computer Police, a local registry proxy that intercepts npm/PyPI installs to block confirmed-malicious packages before they reach disk. It focuses only on known malware, avoids CVEs or heuristics, and works locally, in CI, and in agent sandboxes.

npmfind is an alternative search tool for discovering NPM packages, offering a different interface and search experience compared to the official NPM registry search.

Staged publishing is an npm feature that allows package authors to preview and test a package version before making it publicly available. It works by publishing the package to a temporary staging area with a specific tag for testing, then promoting it to the default "latest" tag when ready. This helps ensure quality and prevents breaking changes from reaching users prematurely.

NPM has announced that fine-grained access tokens will no longer be valid for authentication, as they bypass two-factor authentication (2FA) requirements. The change affects tokens created via the "New Token" page, while granular tokens generated through the "New Granular Token" page remain unaffected.

Staged publishing is an NPM feature that allows package publishers to prepare and preview a package version without immediately making it public. This enables testing and verification before final release, improving quality control for package publishing workflows.

A GitHub project called "ward" claims to defend against npm supply chain attacks, suggesting a new type of supply chain attack may have been identified targeting npm packages.

Infrawise is an MCP server that provides Claude Code with real-time infrastructure context, such as viewing AWS resources, querying Kubernetes clusters, and retrieving logs from cloud providers. It enables developers to access infrastructure data directly within their coding environment without switching tools.

Trusted Publishing lets npm publishers authenticate via OIDC identity tokens from CI/CD providers like GitHub Actions, GitLab CI/CD, and CircleCI, removing the need for long-lived tokens or secrets.

A developer released a Markdown document covering 12 npm supply-chain attack techniques from the past year, including account takeover, lifecycle hooks, self-replicating worms, and CI/CD attacks, designed to help coding agents review projects before publishing.