AllAgentic SystemsCreative CodeDamage ControlProducts & AnnouncementsProgrammingUnder the Hood

Topic: Package Management

After the npm Hack: We Need Real Package Management—But We Won’t Do It

Programming

After the npm Hack: We Need Real Package Management—But We Won’t Do It

Sep 18, 2025

We know how to fix JavaScript’s dependency mess, but the industry will choose symbolic gestures over real reforms.

Supply Chain SecurityOpen SourceJavaScript EcosystemPackage Management

Malicious Workflow Stole npm Token via Shared Repo; Lockdown Now, OIDC Next

Programming

Malicious Workflow Stole npm Token via Shared Repo; Lockdown Now, OIDC Next

Sep 17, 2025168

A shared repo’s GitHub Actions secret was exfiltrated via a malicious workflow, enabling malicious npm publishes; the author has locked down publishing now and is moving toward OIDC to eliminate static tokens.

Supply Chain SecurityPackage ManagementCI/CDOpen SourceIncident Response

NPM’s Supply Chain Is Still Wide Open—and Microsoft Isn’t Fixing It

Programming

NPM’s Supply Chain Is Still Wide Open—and Microsoft Isn’t Fixing It

Sep 17, 2025173

Microsoft’s control of npm hasn’t fixed its core weaknesses, leaving the JavaScript supply chain dangerously insecure and enterprises exposed.

Supply Chain SecurityCorporate AccountabilityOpen SourcePackage ManagementJavaScript Ecosystem

Shai-Hulud: Self‑Spreading npm Backdoor Hits tinycolor and 40+ Packages

Programming

Shai-Hulud: Self‑Spreading npm Backdoor Hits tinycolor and 40+ Packages

Sep 16, 20251233

A self-propagating npm attack backdoored @ctrl/tinycolor and 40+ packages to steal multi-cloud and GitHub secrets, persist via Actions workflows, and exfiltrate data—demanding immediate removal, credential rotation, and CI/CD hardening.

Supply Chain SecurityCybersecurityPackage ManagementCI/CDJavaScript Ecosystem