cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] <title>Subsequent malware attacks and security issues in the npm supply chain

Open seniorit opened this issue 3 months ago • 6 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

This issue exists in the latest npm version

  • [x] I am using the latest npm

Current Behavior

Subsequent malware attacks and security issues in the npm supply chain

Recently, the npm ecosystem has suffered several supply chain attacks shortly after its launch, and this has been widely reported in the Spanish-speaking community by people like midudev 🧐👍😄

Apart from removing the carets, we have no other option, but it doesn't solve the underlying problem. I created my own implementation for my private projects, which isn't the best solution, but it works for me for now. However, I would like to know how we can collaborate or contribute to making the npm platform, which is the benchmark in the nodejs ecosystem, more secure for all of us who use it and the community in general.

Finally, I would appreciate it if you could indicate if you have already contacted an issue regarding this specific topic. 😎

Environment

  • npm:11.5.2
  • Node.js: v22.19.0
  • OS Name: Fedora Linux 42
  • System Model Name:Lenovo IdeaPad Core i7-13620H

seniorit avatar Sep 17 '25 05:09 seniorit

The option I have seen taken by a few now (including us) is to have a minimum age period of pulling new packages releases (3 days as one example but that would be configurable)

pnpm have already implemented a feature at a package manager level: https://github.com/pnpm/pnpm/issues/9921 - https://pnpm.io/settings#minimumreleaseage.

Artifactories are also implementing package delay policies such as JFrog have done, a minimum delay before picking up npm packages for publishing.

Lorondos avatar Sep 17 '25 10:09 Lorondos

Already an open issue on this specifically regarding the pnpm implementation: https://github.com/npm/cli/issues/8570

Edit: Fairly good conversation already ongoing on https://github.com/npm/rfcs/issues/646

Lorondos avatar Sep 17 '25 10:09 Lorondos

They should require 2fa to submit packages. The fact that malware can push to npm without a human having to do 2fa is crazy.

trcoffman avatar Sep 17 '25 11:09 trcoffman

This is more for projects themselves but having PR requirements where another person must approve a release before it gets published would be good, even mandatory AI scans that if they pick up any suspicious logic, flags it for peer review and makes it difficult to publish until manual intervention/review has been done.

Lorondos avatar Sep 17 '25 16:09 Lorondos

Artifactories are also implementing package delay policies such as JFrog have done, a minimum delay before picking up npm packages for publishing.

@Lorondos tried finding references to this, do you happen to have a link?

twesterhuys avatar Sep 18 '25 09:09 twesterhuys

Artifactories are also implementing package delay policies such as JFrog have done, a minimum delay before picking up npm packages for publishing.

@Lorondos tried finding references to this, do you happen to have a link?

To be more specific on this, more that we have implemented an internal policy on JFrog for this.

Lorondos avatar Sep 22 '25 14:09 Lorondos