A massive surge in attacks on the npm ecosystem over the past year reveals a stark shift in the software supply‑chain threat landscape.
What once amounted to sloppy typosquatting attempts has evolved into coordinated, credential-driven intrusions targeting maintainers, CI pipelines, and the trusted automation that underpins modern development.
For security leaders, these aren’t niche developer mishaps anymore — they’re a direct pathway into production systems, cloud infrastructure, and millions of downstream applications.
The goal is no longer to trick an individual developer, but to quietly inherit their authority. And with it, their distribution reach.
“NPM is an attractive target because it is the world’s largest JavaScript package repository and a key control point for distributing software,” said Melinda Marks, cybersecurity practice director at Enterprise Security Group. “Security teams need an understanding of dependencies and ways to regularly audit and mitigate risk.”
Structural weaknesses in the npm infrastructure
Nearly every enterprise relies on npm, whether directly or indirectly. According to IDC, 93% of organizations use open-source software, and npm remains the largest package registry in the JavaScript ecosystem. “Compromising a single popular package can immediately reach millions of downstream users and applications,” IDC’s research manager (DevSecOps), Katie Norton, said, turning one stolen credential into what she described as a “master key” for distribution.
That scale, however, is only part of the risk.
The exposure is amplified by structural weaknesses in how modern development pipelines are secured, Norton remarked. “Individual open-source maintainers often lack the security resources that enterprise teams rely on, leaving them susceptible to social engineering,” she said. “CI/CD runners and developer machines routinely process long-lived secrets that are stored in environment variables or configuration files and are easily harvested by malware.”
“Build systems also tend to prioritize speed and reliability over security visibility, resulting in limited monitoring and long dwell times for attackers who gain initial access,” Norton added.
While security leaders can’t patch their way out of this one, they can reduce exposure. Experts consistently point to the same priorities: treating CI runners as production assets, rotating and scoping publish tokens aggressively, disabling lifecycle scripts unless required, and pinning dependencies to immutable versions.
“These npm attacks are targeting the pre-install phase of software dependencies, so typical software supply chain security methods of code scanning cannot address these types of attacks,” Marks said. Detection requires runtime analysis and anomaly detection rather than signature-based tooling.
From typo traps to legitimate backdoors
For years, typosquatting defined the npm threat model. Attackers published packages with names just close enough to popular libraries, such as “lodsash,” “expres,” “reacts,” and waited for automation or human error to do the rest. The impact was usually limited, and remediation straightforward.
That model began to break in 2025.
Instead of impersonating popular packages, attackers increasingly compromised real ones. Phishing campaigns spoofing npm itself harvested maintainer credentials. Stolen tokens were then used to publish trojanized updates that appeared legitimate to every downstream consumer. The Shai-Hulud campaign illustrated the scale of the problem, affecting tens of thousands of repositories and leveraging compromised credentials to self-propagate across the ecosystem.
“The npm ecosystem has become the crown jewels of modern development,” said Kush Pandya, a cybersecurity researcher at Socket.dev. “When a single prolific maintainer is compromised, the blast radius spans hundreds of downstream projects.”
The result was a quiet but powerful shift: attackers no longer needed to create convincing fakes. They could ship malware through trusted channels, signed and versioned like any routine update.
Developer environments over developer laptops
Modern npm attacks increasingly activate inside CI/CD environments rather than on developer laptops. Post-install scripts, long treated as benign setup helpers, became an execution vector capable of running automatically inside GitHub Actions or GitLab CI. Once inside a runner, malicious packages could read environment variables, steal publish tokens, tamper with build artifacts, or even push additional malicious releases under the victim’s identity.
“Developer environments and CI runners are now worth more than end-user machines,” Pandya noted. “They usually have broader permissions, access to secrets, and the ability to push code into production.”
Several campaigns observed in mid-2025 were explicitly CI-aware, triggering only when they detected automated build environments. Some included delayed execution or self-expiring payloads, minimizing forensic visibility while maximizing credential theft.
For enterprises, this represents a fundamental risk shift. CI systems often operate with higher privileges than any individual user, yet are monitored far less rigorously. “They are often secured with weaker defaults: long-lived publish tokens, overly permissive CI secrets, implicit trust in lifecycle scripts and package metadata, and little isolation between builds,” Pandya noted.
According to IDC Research, organizations allocate only about 14% of AppSec budgets to supply-chain security, with only 12% of them identifying CI/CD pipeline security as a top risk.
Evasion as a first-class feature
As defenders improved at spotting suspicious packages, attackers adapted too.
Recent npm campaigns have used invisible Unicode characters to obscure dependencies, multi-stage loaders that fetch real payloads only after environment checks, and blockchain-hosted command-and-control (C2) references designed to evade takedowns. Others deployed worm-like behavior, using stolen credentials to publish additional malicious packages at scale.
Manual review has become largely ineffective against this level of tradecraft. “The days when you could skim index.js and spot a malicious eval() are gone,” Pandya said.
“Modern packages hide malicious logic behind layers of encoding, delayed execution, and environment fingerprinting.” Norton echoed the concern, noting that these attacks operate at a behavioral level where static scanning falls short. “Obfuscation techniques make malicious logic difficult to distinguish from legitimate complexity in large JavaScript projects,” she said. “CI-aware payloads and post-install scripts introduce behavior that only manifests under specific environmental conditions.”