Articles tagged for: supply chain security

Hardening Your npm and pnpm Configs in the Age of Shai-Hulud

A copy-paste-ready .npmrc and pnpm-workspace.yaml that actually defends against the supply-chain attacks of 2025 and 2026 — with the threat model behind every directive.

Mitigate Supply Chain Security with DevContainers and 1Password for Node.js Local Development

How-to setup an isolated Node.js local development environment with VS Code DevContainers and 1Password to keep secrets out of your filesystem and avoid supply chain security incidents like shai-hulud, qix maintainer compromise and others.

Vue CLI Security Fix to Mitigate NPM Binary Planting

NPM binary planting is a way to cause dependency confusion within installed executable packages with npx. Haoqun Jiang from the Vue.js and Vite core teams have patched the Vue.js CLI to mitigate this security risk.

How JavaScript developers should embrace npm security

The npm ecosystem is a minefield of security risks. How can JavaScript developers protect from these threats and adopt npm security best practices? Here's how.

The XZ backdoor CVE-2024-3094: a JavaScript perspective

The XZ backdoor CVE-2024-3094 already happened in JavaScript 5 years ago but now the xz and liblzma malware bundled onto Linux distributions is bringing forth a world-wide threatening event in cybersecurity that jeopardizes the trust, sustainability and security concerns in the open-source ecosystem.

North Korea malware on npm and Ledger connect-kit crypto heist

North Korean state hackers compromise npm supply chain with malicious packages; crypto thieves exploit Ledger Connect kit library published to npm, stealing $600k before detected; incident highlights risks of uncontrolled open source usage and need for better validation, monitoring of third party code.