Programming

NPM’s Supply Chain Is Still Wide Open—and Microsoft Isn’t Fixing It

Supply Chain SecurityCorporate AccountabilityOpen SourcePackage ManagementJavaScript Ecosystem
Added Sep 17, 2025
Link220
Article: NegativeCommunity: NeutralDivisive

The author argues Microsoft’s stewardship of npm has left the JavaScript supply chain dangerously exposed, echoing the company’s historic mishandling of Internet Explorer. Incidents like the NX malware and debug/chalk compromises highlight how easy it remains to ship malicious code via npm, aided by postinstall scripts, npx, and inadequate defenses against namesquatting. While GitHub has added SBOM/attestation, the lack of signed packages and secure-by-default practices means enterprises must reassess their dependencies and demand stronger protections.

Key Points

  • The author contends Microsoft, via GitHub’s stewardship of npm, is failing to address core supply-chain risks and should be seen as a bad actor in 2025.
  • Recent npm compromises (e.g., NX-related malware and the debug/chalk incidents) show attackers are shifting from crypto theft to stealing maintainer tokens and keys, escalating enterprise risk.
  • A long-known attack surface—postinstall scripts and npx’s ability to run arbitrary remote code—remains largely unchecked, making malware delivery trivial.
  • Despite adding SBOM/attestation features, the ecosystem lacks foundational protections such as signed packages and robust defenses against namesquatting and AI-generated junk packages; 2FA alone is insufficient.
  • The situation echoes Microsoft’s Internet Explorer era: widespread distribution, inadequate fixes, and long-lived vulnerabilities that endanger users by default.

Sentiment

The community is broadly sympathetic to the article's core concern that npm has serious, longstanding supply chain vulnerabilities deserving more attention and investment. However, HN strongly pushes back on the 'bad actor' label for Microsoft, with multiple commenters providing concrete evidence of security improvements already shipped. The consensus is that the problems are real and serious but the article overstates Microsoft's culpability, understates existing work, and underestimates the difficulty of solutions. Most agree the fundamental issue is a combination of npm's original design choices, JS ecosystem culture, and insufficient investment — not active hostility.

In Agreement

  • Microsoft has the resources to address known security issues but has failed to act on proposals like package signing, which has been ignored since 2013
  • npm's postinstall scripts and npx executing arbitrary remote code are fundamental design flaws that create unnecessary attack surface
  • The npm ecosystem's culture of deep dependency trees with thousands of transitive dependencies makes supply chain attacks uniquely devastating
  • npm lags behind other package managers — PyPI has attestation, Ruby has signed gems, Go downloads source code rather than tarballs
  • Published npm packages are entirely disconnected from their GitHub source code, meaning code review on GitHub provides zero security guarantees
  • npm's default behavior of auto-upgrading to the latest semver-compatible version is dangerous and should not be the default
  • npm audit is so noisy and unusable that developers ignore it entirely, requiring third-party tools to be functional

Opposed

  • npm's problems are primarily a function of its popularity as the largest package registry, not unique negligence — similar attacks hit PyPI, RubyGems, and others
  • Microsoft HAS been investing in npm security: Sigstore support shipped in 2023, hardware tokens were distributed in 2021, Trusted Publishing went GA in 2025, and 2FA is required for top maintainers
  • The article's claims are factually outdated — calling it 'no signed dependencies' ignores the Sigstore and provenance work that already shipped
  • Removing postinstall scripts and npx would break workflows while barely denting supply chain attacks, since any executed dependency code can be malicious
  • Blaming Microsoft is misdirected when the root cause is JS developer culture choosing convenience over security, including deep dependency trees and automatic upgrades
  • Even code signing would not help because attackers who steal auth tokens could just as easily steal signing keys
  • npm is a stretch to call a 'bad actor' when they are likely the reason the service is still running at all — at worst they are guilty of apathy
NPM’s Supply Chain Is Still Wide Open—and Microsoft Isn’t Fixing It | TD Stuff