Npm

Defending Against npm Supply‑Chain Attacks (September 2025) Developers can significantly reduce risk from npm supply‑chain attacks by default‑denying install scripts, using reproducible installs with lockfiles, preferring signed provenance, applying the Node.js Permission Model, and gating dependency changes in CI, which together contain execution pathways used in recent compromises like the September 2025 chalk/debug and “Shai‑Hulud” waves. In environments touching crypto or other secrets, keep keys off workstations and treat any machine that executed tainted versions as potentially compromised until tokens are rotated and CI/workflows are audited.[^8][^10][^11][^12][^13][^14][^15][^16][^17] What happened in Sep 2025 On September 8, 2025, attackers compromised multiple npm maintainer accounts and pushed malicious versions of high‑traffic packages including chalk, debug, and at least 16 others, triggering rapid ecosystem responses from vendors and platforms. Subsequent analysis showed browser‑focused payloads hooking window.ethereum and network APIs to hijack cryptocurrency transactions at scale with multi‑chain support and obfuscation.1234 ...