npm Security

For the past few weeks, an ongoing supply chain attack on npm packages has shaken the JavaScript community. It’s not that npm packages haven’t been compromised before, but this time, the targets were surprising. Attackers went after popular packages maintained by well-known authors, creating the potential for widespread damage.

• In late August, the popular monorepo tool Nx was compromised, leading to several malicious package versions. These included a postinstall script that attempted to run prompts on AI CLIs to steal passwords, tokens, keys, and other sensitive data before sending them to the attacker.
• In early September, npm maintainer Josh Junon (Qix on npm) confirmed their account was compromised after falling for a fake 2FA reset email. Because Josh co-maintained many packages with prolific author Sindre Sorhus, this resulted in 19 malicious package versions. The malicious code searched for cryptocurrency wallet data and initiated unauthorized transfers.
• The next day, the duckdb_admin npm account was also compromised through the same phishing email, leading to 7 malicious package versions with similar crypto-stealing code.
• Soon after, another maintainer’s credentials were stolen, compromising the popular tinycolor package. With over 2 million weekly downloads, it was a major target. The attacker added a postinstall script to collect additional credentials from the same machine.
• Investigations later revealed the attack was self-propagating because stolen npm tokens were used to publish more malicious packages.

GitHub responded about a week later, outlining plans to strengthen npm’s security. This includes changes to how npm tokens are generated and the introduction of trusted publishing as an alternative to token-based workflows. (Notably, JSR, an alternative JavaScript package registry, has always relied on trusted publishing in CI environments and doesn’t support publish tokens.)

If you maintain npm packages, here’s what you should do right now:

1. Enable 2FA on your npm and GitHub accounts.
2. Switch to trusted publishing through a GitHub workflow instead of using npm tokens. Tools like release-please or Release It! can help automate this.
3. Avoid manual publishing whenever possible.
4. Don’t click links in emails claiming to be from npm. Instead, go directly to the npm website to verify your account.

npm isn’t being targeted because it’s less secure than other registries, but because JavaScript’s popularity makes it a prime vector for spreading malicious code. Keeping the ecosystem safe starts with maintainers taking the right precautions.

Key Takeaways

• A series of phishing-based supply chain attacks have compromised popular npm packages, showing how easily trusted maintainers can become targets.
• GitHub is introducing stronger security measures, including trusted publishing, to reduce reliance on npm tokens and prevent future compromises.
• Package maintainers can protect themselves and the ecosystem by enabling 2FA, using trusted publishing, and avoiding suspicious emails or manual publishing.

Understanding JavaScript Promises My e-book, Understanding JavaScript Promises, now includes information about Promise.withResolvers() and a whole new chapter on using and creating abortable functions. Buy the E-book

Stuff I've Enjoyed this Month

🎬 Most devs don't understand how LLM tokens work by Matt Pocock
I admit, I didn't really understand how LLM tokens worked until I watched this video. Matt does a great job explaining what a token is and how token size affects AI behavior and required memory.

📝 CSS-only scrollspy effect using scroll-marker-group and :target-current by Sara Soueidan
More and more we don't need to use JavaScript to achieve dynamic web pages. This article explains how we'll soon be able to use just CSS to implement scroll spying (updating the UI based on scroll position).

🎬 This game theory problem will change the way you see the world by Veritasium
The prisoner's dilemma is a classic game theory problem that explores whether it's better to cooperate with others or not, and in which situations to do which. This video explains the findings by digging into simulated game theory situations.

📝 A few things about the anchor element's href you might not have known by Jim Nielsen
The href attribute of an tag does a lot more than you think. This article lists all the different behaviors and ways you can navigate by changing the value of href.

🎧 How AI is taking over the US Government by David Sirota
This podcast explores how the major AI companies are already influencing the US government to ensure they're not bound to any meaningful regulations.

📝 Behind the scenes of bun install by Lydia Hallie
When you run npm install, there's a lot that goes on. This (long, detailed) post explains the differences in how bun (and npm, Yarn, and pnpm) perform installs and why Bun's implementation is so much faster.

🎬 How the New York Times beat paywall hackers for good by Coding with Lewis
We all hate paywalls, and the New York Times understood that. That's why they developed an algorithm for figuring out when to show a paywall to certain users. You'll be surprised at just how involved this algorithm is.

📷 Insta360 Link 2 Webcam by Insta360
I was looking for a new webcam and came across a lot of positive reviews on the Insta360 Link 2. So far, I'm impressed. The video and sound are excellent, the face tracking is great, and it feels like having a little droid sitting on top of my monitor.

What I'm Working On

🏠 Real Estate: It's been a quiet month, thankfully, which is always the best case scenario with rental properties. Follow my Instagram for real estate photos.

🍞 Bredbox: Bredbox has around 30 users at this point, and I'm gathering feedback before letting the next batch of users in. So far, I've been pleased that the app hasn't crashed, even as I muddled my way through learning the Cloudflare infrastructure. The next step is to implement collections, after which I'll let in the next batch of users.

💻 ESLint:

• We had an issue with a major surge in crawler traffic from China to eslint.org that was eating up our bandwidth. I spent some time working through that issue, setting up blocking for certain requests until the traffic died back down.
• I spent most of my time planning for v10.0.0, including helping remove the old eslintrc config system.

Coaching for Tech Leads and Staff+ Engineers

If you're a tech lead or staff+ engineer, chances are your manager has no experience in your role. While they may be well-intentioned, they may not know how to help you grow in such a challenging position.

That's where working with me can help. As a former tech lead and principal engineer at multiple companies, I learned firsthand the ins and outs of these roles. I work with my clients one-on-one to develop their leadership, communication, organization, and problem-solving skills to succeed in the upper ranks of the individual contributor track.

​