npm Supply Chain Attacks
A supply chain attack in the npm ecosystem occurs when an attacker compromises a package — or the infrastructure around it — to inject malicious code into applications that depend on it. npm is uniquely exposed to this class of attack: the registry hosts over 3 million packages, the average project pulls in hundreds of transitive dependencies, many packages are maintained by a single person, and npm install executes arbitrary install scripts by default. This page covers what has happened, how these attacks work, and what you can do to defend against them.