Another supply chain attack has hit npm. Crazy. Feels a bit scary to use npm right now.

Body

Yeah, it’s getting pretty concerning. What makes this one worse is that it doesn’t look like maintainer accounts were even compromised, which suggests automated package flooding rather than traditional account takeover.

Still, npm itself isn’t inherently unsafe — the bigger risk is dependency trust and how quickly malicious packages can propagate. Pinning versions, using lockfiles, and auditing dependencies is more important than ever right now.

Classic masculine fox logo got cancelled for not having pronouns. We’re thriving.