3 pnpm Settings to Protect Yourself from Supply Chain Attacks
Secure your pnpm projects by quarantining new releases, blocking exotic subdependencies, and restricting build scripts.
Package Management
Package managers, dependency management, software distribution, registries, and related tooling across programming ecosystems.
Reading List
Critical Supply-Chain Attack Hits TanStack Router NPM Packages
1095
A self-propagating supply-chain attack has poisoned TanStack Router npm packages to steal credentials and infect further repositories.
Axios npm Supply Chain Attack: Hijacked Account Drops Cross-Platform RAT
1925
A hijacked maintainer account was used to poison the axios npm package with a sophisticated, self-cleaning Remote Access Trojan targeting multiple operating systems.
Critical Supply Chain Attack: Malicious Credential Stealer Found in litellm PyPI Package
931
The litellm PyPI package has been compromised by a supply chain attack that automatically steals and exfiltrates sensitive system credentials and secrets.
After the npm Hack: We Need Real Package Management—But We Won’t Do It
We know how to fix JavaScript’s dependency mess, but the industry will choose symbolic gestures over real reforms.
Malicious Workflow Stole npm Token via Shared Repo; Lockdown Now, OIDC Next
168
A shared repo’s GitHub Actions secret was exfiltrated via a malicious workflow, enabling malicious npm publishes; the author has locked down publishing now and is moving toward OIDC to eliminate static tokens.
NPM’s Supply Chain Is Still Wide Open—and Microsoft Isn’t Fixing It
173
Microsoft’s control of npm hasn’t fixed its core weaknesses, leaving the JavaScript supply chain dangerously insecure and enterprises exposed.
Shai-Hulud: Self‑Spreading npm Backdoor Hits tinycolor and 40+ Packages
1233
A self-propagating npm attack backdoored @ctrl/tinycolor and 40+ packages to steal multi-cloud and GitHub secrets, persist via Actions workflows, and exfiltrate data—demanding immediate removal, credential rotation, and CI/CD hardening.