npm

npm introduces staged publishing, requiring human approval via 2FA for package releases, and new `--allow-*` flags (file, remote, directory) to control install sources, improving supply-chain security in npm CLI 11.15.0.

npm introduces staged publishing, allowing package updates to be reviewed and approved with 2FA before going live on the registry, enhancing security for package maintainers.

Grafana Labs disclosed that a cybercrime group gained unauthorized access to its GitHub repositories via a TanStack npm supply chain attack, downloading codebase and internal data, but no customer production systems were compromised.

Nationwide emergency response today because AntV, an open-source frontend library by Ant Group, was hit by a supply chain attack and implanted with a worm. Users need to urgently check and upgrade.

id-agent is an open-source npm library that generates human-readable, token-efficient word-based IDs as a UUID alternative for AI agents, reducing token costs by ~40% while maintaining collision resistance.

The npm account 'atool' was compromised, leading to the publication of 637 malicious versions across 317 packages. The payload harvests credentials, establishes persistence via AI coding tools and system services, and exfiltrates data through GitHub.

The Hermes Web UI project started from scratch last month and within one month achieved 5,000 GitHub stars, 139k npm downloads, and 216k official site requests. The author expressed great joy and gratitude for community support.

SkillKit is a package manager for AI coding agent skills, supporting 46 agents and 400K+ skills from 31 sources, allowing one skill to be used across multiple agents.

Satirical article highlighting the recurring supply chain attacks in the npm registry, contrasting with more secure ecosystems like Go and Rust, and mocking the JavaScript community's acceptance of such vulnerabilities.

A PSA about a series of supply-chain attacks targeting AI developer tools (Hermes, OpenClaw) via npm and PyPI, specifically the 'Mini-Shai Hulud' worm that self-replicates and steals credentials, API keys, and browser sessions. The post advises sandboxed execution and restricting package age to mitigate risks.

Launched free coding agent 'freebuff' with 5 free hours of DeepSeek V4 Flash daily for everyone.

The article details a supply-chain attack on the TanStack library via NPM, offering a comprehensive guide to protect development environments by locking dependency ages, pinning versions, and auditing CI/CD pipelines and IDE extensions.

OpenAI responds to the TanStack npm supply chain attack, stating that no user data or production systems were compromised, but two employee devices were impacted and limited credentials exfiltrated from internal code repositories.

Detailed postmortem of a supply-chain attack on TanStack's npm packages involving cache poisoning, OIDC token extraction, and credential harvesting malware. All affected versions deprecated; users advised to rotate credentials.

A new npm package called safe-install is introduced to enhance supply chain security by allowing developers to disable install scripts by default and block exotic sub-dependencies, addressing ongoing vulnerabilities.

A developer shares a tip to configure a minimum release age for package installs to mitigate supply-chain attacks.

A high-severity supply-chain compromise affected 42 TanStack npm packages, exfiltrating cloud credentials and SSH keys. Users are advised to rotate credentials and reinstall from clean lockfiles if they installed packages during the attack window.

Reports indicate a security compromise affecting TanStack NPM packages, impacting developers using the TanStack Router and Start frameworks.

A satirical incident report describes a catastrophic, multi-stage supply chain attack originating from a compromised JavaScript dependency and spreading through Rust and Python ecosystems before being accidentally resolved by a mining worm.

ActionFence is an open-source middleware tool for enforcing security policies, such as spend caps and identity tiers, on MCP servers and Express APIs to protect against agent misuse.