massive campaign for 170+ packages and 400+ malicious versions published. what we saw that not a single maintainer account compromised. tanStack and Mistral AI these are the names that stand out.
massive campaign for 170+ packages and 400+ malicious versions published. what we saw that not a single maintainer account compromised. tanStack and Mistral AI these are the names that stand out.
Another supply chain attack has hit npm. Crazy. Feels a bit scary to use npm right now.
Yeah, it’s getting pretty concerning. What makes this one worse is that it doesn’t look like maintainer accounts were even compromised, which suggests automated package flooding rather than traditional account takeover.
Still, npm itself isn’t inherently unsafe — the bigger risk is dependency trust and how quickly malicious packages can propagate. Pinning versions, using lockfiles, and auditing dependencies is more important than ever right now.
The bucket stops at that it isn’t safe. Which is partially a cultural problem. And npm users worked hard to get to that place - it’s not the case that them were not given warnings.
It’s like Windows, it also have same owners.