Following one of the most intense periods of supply chain attacks in npm’s history, The Changelogpodcast invited Socket founder and CEO Feross Aboukhadijeh to unpack what happened and what developers can do to protect themselves.
While the headline-grabbing compromises of popular libraries and utilities have subsided, malicious packages continue to appear on npm every day. In our latest threat research, we uncovered ten typosquatted npm packages that used fake CAPTCHAs and system fingerprinting to deploy a cross-platform credential stealer.
“The faster you upgrade your packages, the more safe you are from software vulnerabiliti…
Following one of the most intense periods of supply chain attacks in npm’s history, The Changelogpodcast invited Socket founder and CEO Feross Aboukhadijeh to unpack what happened and what developers can do to protect themselves.
While the headline-grabbing compromises of popular libraries and utilities have subsided, malicious packages continue to appear on npm every day. In our latest threat research, we uncovered ten typosquatted npm packages that used fake CAPTCHAs and system fingerprinting to deploy a cross-platform credential stealer.
“The faster you upgrade your packages, the more safe you are from software vulnerabilities, but then the faster you upgrade, the more vulnerable you are to supply chain attacks,“ Feross explained on the podcast. “So there’s some middle ground where you want to be behind a little bit but not too behind, especially when there’s a vulnerability. And that’s the art of it, figuring out how to do that.”
Here are a few practical steps Feross outlined in the episode that developers can take to stay safe when using npm.
1. Use Lock Files
Always check in your lock file and avoid deleting or regenerating it unnecessarily. Lock files pin exact dependency versions, preventing you from accidentally pulling in a newly compromised version during reinstall.
2. Delay New Package Versions
If you use pnpm, enable the minimum-release-age feature to delay adoption of new package versions. Even a 24-hour or 7-day delay can protect your projects from freshly published malware that is typically caught and removed quickly.
3. Review Your GitHub Actions
Avoid using the pull_request_target trigger unless absolutely necessary, and audit workflows for potential shell injection risks. Delete old branches that contain outdated workflows so attackers cannot trigger vulnerable code paths.
4. Turn On Two-Factor Authentication
Enable 2FA for all npm maintainers on your team, especially for popular or high-traffic packages. Many recent compromises began with stolen or phished maintainer credentials.
5. Add a Firewall for Your Dependencies
Our new Socket Firewall (SFW) tool is free and provides an extra layer of protection by intercepting dependency installs from npm, PyPI, and Cargo. (More languages are supported in Socket Firewall Enterprise.) It blocks known malware, typosquats, and backdoors automatically with no configuration or API key required.
npm i -g sfw
sfw npm install lodahs
Recent npm attacks show how quickly malicious packages can spread through the ecosystem, but there are basic practical steps developers can take to protect themselves. With stronger defaults, safer workflows, and tools like Socket Firewall in place, the open source community can keep building securely on npm.
Watch the full Changelog episode below.