npm
Browse all articles, tutorials, and guides about npm
Posts
TanStack npm Worm: The Supply-Chain Attack With a Dead-Man's Switch
On May 11, 2026, attackers republished 14+ official TanStack packages on npm with a worm that signs itself with valid SLSA provenance and arms a dead-man's switch that wipes your home directory the moment you revoke the stolen GitHub token. Here is what happened, how the payload works, and how to check your machine.
Mini Shai-Hulud: PyTorch Lightning Just Stole Your CI Secrets
On April 30 a supply chain worm pushed malicious versions of PyTorch Lightning (10M+ downloads/month), intercom-client, and intercom-php to PyPI, npm, and Packagist in 48 hours. It steals every credential in your CI and propagates through your own GitHub tokens. Here is what to check and what to rotate.
Claude Code Source Leaked via npm Source Maps: Lessons for Every DevOps Team
Anthropic accidentally shipped source maps in their npm package, exposing 512,000 lines of Claude Code source. Here is what went wrong and how to prevent it in your own CI/CD pipeline.
The Axios Supply Chain Attack: What DevOps Teams Need to Know
A compromised npm maintainer account led to malicious axios versions deploying a RAT across macOS, Windows, and Linux. Here is what happened, how to check if you are affected, and how to prevent this in your pipeline.