Skip to content
Loading
.marisi

How to Mitigate npm Supply Chain Attacks: A Practical Guide from the Trenches

How to Mitigate npm Supply Chain Attacks: A Practical Guide from the Trenches hero image

I've spent enough time on the response side of npm supply chain incidents to have a pretty firm opinion: most teams I talk to are running one or two defensive controls and calling it a day. Usually it's npm audit in CI plus some vague feeling that Dependabot has it covered. That's not a defense. That's a hope.

The uncomfortable truth is that npm supply chain attacks are not edge cases anymore. They're a recurring, well-documented class of attack with known patterns and known countermeasures. The good news is that almost every meaningful defense is documented in official sources (npm's own docs, the Node.js security guidance, OWASP, SLSA). The bad news is that no single one of them is sufficient on its own.

This post walks through what an attack actually looks like, the categories you should expect to see, the layered controls that actually work, and an honest take on what doesn't.

What an npm supply chain attack actually looks like

Let's start with a concrete, recent example: the node-ipc credential-stealing campaign that StepSecurity documented in May 2026. I want to use this one because it's well-analyzed and because it breaks several assumptions that teams still rely on.

node-ipc is a Node.js inter-process communication library with roughly 10 million weekly downloads. On May 14, 2026, three malicious versions (9.1.6, 9.2.3, and 12.0.1) were published to the registry simultaneously by a maintainer account, atiertant, that had never previously published a release for the package. The 12.0.0 release that preceded these was published 21 months earlier by the legitimate author. Either the account was freshly compromised or it was quietly added to the maintainer list specifically so this publish could happen.

The technical details matter, so I'll go through them:

  • The payload was an 80 KB obfuscated IIFE appended to the bottom of node-ipc.cjs, after the final module.exports. Because Node evaluates top-level CommonJS statements on load, the payload fires the moment anything does require('node-ipc'). No method call needed, no config flag.
  • There were no preinstall, install, or postinstall scripts. This is the part that should bother you. A lot of teams (mine included, historically) think that disabling lifecycle scripts is sufficient. It isn't. This payload deliberately avoided lifecycle hooks specifically to evade tools that only scan them.
  • The ESM bundle was untouched. Only the CommonJS bundle was poisoned. So any consumer using import with a bundler resolving the "module" field was unaffected. Anyone on require() was hit.
  • The 9.x versions were entirely fabricated. The legitimate 9.x line had never shipped a .cjs bundle at all. The attacker copied the 12.x layout into synthetic 9.1.6 and 9.2.3 tarballs to maximize blast radius across pinning patterns (~9.1, ~9.2, ^9, ^12, ~12.0).
  • Once executed, the payload harvested over 90 categories of credentials, including ~/.aws/credentials, ~/.ssh/id_*, ~/.kube/config, .npmrc, GitHub CLI configs, Terraform state, .env* files, shell history, macOS keychains, and Claude API configs. It tarred and gzipped the lot in memory.
  • Exfiltration used two channels. HTTPS POST to sh.azurestaticprovider.net (a typosquatted domain crafted to look like Azure infrastructure in logs), and DNS TXT queries sent directly to the C2's IP at 37.16.75.69, bypassing local DNS resolvers entirely.

A few things failed here that traditional approaches told us would protect us. Trusting a long-running, reputable maintainer didn't help because the threat model assumed the maintainer's account stays the maintainer's account. Lifecycle script scanning didn't help because there were no lifecycle scripts. Corporate DNS logging didn't help because the exfiltration bypassed corporate resolvers.

The categories you should expect

Briefly, because the patterns repeat:

Maintainer account takeover. The canonical example is the 2018 event-stream incident, where a maintainer handed off the package to a stranger who then injected wallet-stealing code targeting Copay. node-ipc in 2026 is the same class of attack with a different access method.

Typosquatting. Publishing crossenv to catch typos for cross-env, and so on. npm's own package name guidelines explicitly call out this category, and npm reserves the right to remove typosquatting packages under their policies.

Dependency confusion. Disclosed by Alex Birsan in 2021. If your internal package name isn't claimed on the public registry, an attacker can publish a higher-version package with the same name publicly, and misconfigured clients will prefer the public one. This hit Apple, Microsoft, and dozens of others in the original disclosure.

Protestware and intentional sabotage. The 2022 node-ipc / peacenotwar incident shipped a file-overwriting payload based on geo-IP. The 2026 attack on the same package is unrelated (different actor, financial motive), but it's worth noting that this package now has two separate documented supply chain incidents against it.

Malicious postinstall scripts. Still common. Still worth disabling. Just don't assume that disabling them is sufficient, because node-ipc 2026 didn't use one.

Layer 1: dependency selection and review

Before you install anything, you've already made decisions that constrain your blast radius.

Pin versions. Real pinning, not caret ranges. Use a committed package-lock.json (or npm-shrinkwrap.json if you're publishing libraries). The Node.js security best practices page is explicit about this: pin direct dependencies to immutable versions and use lockfiles to pin transitives. Worth noting, the same doc also warns about lockfile poisoning, so a lockfile alone isn't a magic shield. Review lockfile diffs in PRs the same way you'd review code.

Before adding a new dependency, actually look at it. Maintainer history. Download counts and trend. Recent commit activity. For small packages (the kind you're tempted to add for one helper function), read the source. If the GitHub repo doesn't match what's published to npm, that's a real risk per the Node.js docs ("the GitHub source code is not always the same as the published one, validate it in the node_modules").

Run npm audit, but understand what it does. Per docs.npmjs.com/about-audit-reports, audit reports are built from known vulnerabilities in the GitHub Advisory Database. They catch CVEs in your dependency tree. They do not detect previously unknown malicious packages, novel zero-days, or compromised packages that haven't been reported yet. npm audit would not have caught node-ipc@12.0.1 on May 14, 2026. It would have caught it after the advisory was published, which is a different thing.

Enable Dependabot or equivalent for advisory monitoring. It uses the same GitHub Advisory Database, so the same limitations apply, but it's still table stakes.

Layer 2: install-time protections

This is where most teams have the easiest wins available and aren't taking them.

Disable lifecycle scripts where you can. Per the npm CLI docs, you can do this per-install:

npm install --ignore-scripts

Or globally via .npmrc:

ignore-scripts=true

The Node.js security best practices doc recommends both forms. Yes, this breaks packages that genuinely need postinstall (some native modules, for example). Allowlist those individually rather than leaving the door open for everything. It's annoying. Do it anyway.

In CI, use npm ci instead of npm install. Per docs.npmjs.com/cli/v11/commands/npm-ci, it installs strictly from the lockfile and errors out if package.json and the lockfile disagree, rather than silently updating the lockfile the way npm install will. Deterministic installs are the baseline.

Consider a private registry proxy. Verdaccio, JFrog Artifactory, Sonatype Nexus, GitHub Packages, all of them let you sit between your developers and the public registry. The real value here isn't just caching, it's the ability to enforce policy: cooldown windows on newly published versions, allowlists, signature verification. A cooldown of even 24 to 72 hours would have entirely neutralized the node-ipc campaign for any team using one, because the malicious versions were flagged within hours of publication.

Layer 3: build and CI environment isolation

The OWASP Top 10 CI/CD Security Risks lays out the attack surface here cleanly. Dependency Chain Abuse is CICD-SEC-3 in that list, and Poisoned Pipeline Execution is CICD-SEC-4. If you haven't read it, it's worth a coffee's worth of time.

A few concrete controls:

  • Run builds in ephemeral environments. Fresh container per job, destroyed after. Don't reuse runners across tenants.
  • Restrict outbound network access from build agents. Ideally, allowlist only the package registries and APIs your build actually needs. This is the single control that would have most directly blunted node-ipc 2026, because the payload's entire purpose was outbound exfiltration. A build runner that can't talk to sh.azurestaticprovider.net or arbitrary DNS resolvers can still get compromised, but it can't tell anyone.
  • Use least-privilege, short-lived tokens. OIDC-based authentication to cloud providers (per the major cloud providers' GitHub Actions integration docs) eliminates long-lived secrets sitting in CI. If a malicious package does run, there's no stored AWS access key for it to steal.
  • Don't put production secrets in dev pipelines. If your PR builds have access to prod, you've got a different problem.

OWASP's CICD-SEC-6 (Insufficient Credential Hygiene) covers this whole area. The recurring theme across documented CI/CD breaches (SolarWinds, Codecov, the various npm incidents) is that the initial code execution wasn't the worst thing that happened. The credential theft was.

Layer 4: provenance and integrity

This is the layer that's most underused, partly because it's relatively new.

npm shipped package provenance in 2023. When a package is published with npm publish --provenance from a supported CI environment (GitHub Actions and GitLab, currently), npm generates a signed attestation linking the published tarball to the specific commit and build that produced it. The attestations are stored in the public Sigstore transparency log. Documented at docs.npmjs.com/generating-provenance-statements.

As a consumer, you can verify provenance for packages that publish it. As a publisher, you should be turning it on. It doesn't prevent a compromised maintainer from publishing from their own CI, but it does mean unauthorized publishes from unusual locations become detectable, and it gives you a cryptographic chain of custody.

Beyond npm's specific implementation, the broader framework is SLSA (Supply-chain Levels for Software Artifacts). SLSA defines build integrity levels, with each level adding stricter requirements for build provenance, isolation, and tamper resistance. It's a useful maturity model even if you don't pursue formal compliance, because it gives you a vocabulary for the conversation with leadership about where you are and where you want to be.

npm also requires 2FA for publishing on packages above certain download thresholds, and supports trusted publishing via OIDC so package maintainers can publish from CI without long-lived tokens at all. Both are documented under Securing your code in the npm docs.

Layer 5: runtime and monitoring

Generate an SBOM for your built artifacts. npm has built-in support via npm sbom (per the CLI docs), which can emit either CycloneDX or SPDX format. Both are the documented industry standards. Keep the SBOMs. When the next advisory drops at 2am, you want to be able to grep your fleet for affected versions in minutes, not hours.

Monitor egress from production and from CI runners. Unusual outbound connections from a Node process to a domain nobody on your team has ever heard of is a high-signal indicator. In the node-ipc case, connections to sh.azurestaticprovider.net from a build agent should have set off something. Most teams I've worked with have decent ingress monitoring and basically nothing on egress.

Have an incident response playbook that specifically covers "a package in our dependency graph was just compromised." The first question you'll need to answer is "which of our systems had this installed in the last N days," and you need to have already figured out how to answer that before you need to.

What would have caught node-ipc

Tying it back. If I order the defenses by how directly they'd have helped on May 14, 2026:

  • A registry cooldown of 24+ hours: would have prevented the install entirely on most systems. Highest value, lowest effort if you already run a private registry mirror.
  • Egress allowlisting on build agents: would not have prevented installation but would have blocked exfiltration. The credential theft is what made this incident bad, so blocking that is most of the damage avoided.
  • OIDC-based, short-lived credentials in CI: dramatically reduces what's available to steal in the first place.
  • --ignore-scripts: would not have helped here. The payload didn't use lifecycle scripts. Still worth having for the many other attacks that do.
  • npm audit / Dependabot: would have caught it after the advisory was published. Useful for cleanup, not for prevention on day zero.
  • Provenance verification: the malicious versions weren't published with provenance, so a consumer policy requiring provenance for node-ipc would have failed the install. This is a real, available control, though enforcement tooling is still maturing.

What doesn't actually work

A few things commonly recommended that I'd push back on:

Relying on npm audit as your supply chain defense. Per the official docs, it reports known vulnerabilities from the advisory database. That's a lagging indicator. The window between a malicious publish and the advisory landing is exactly when the damage happens.

Freezing all dependencies forever. Pinning is good, but never updating means you accumulate known unpatched CVEs. You trade one risk class for a worse one. The goal is deterministic, reviewable updates, not no updates.

Counting dependencies as a security metric. Going from 800 to 600 dependencies doesn't make you safer if you didn't change anything about how those 600 are selected, installed, or run. It's a vanity metric.

Trusting "reputable" maintainers as a control. event-stream was reputable. node-ipc was reputable. Reputation is useful signal but not a defense.

Where to start if you can't do everything

If you have a week: turn on ignore-scripts=true globally, switch CI to npm ci, audit your .npmrc files for stray tokens, and rotate any long-lived npm or cloud tokens that have been sitting around. These are config changes, not architecture changes.

If you have a quarter: stand up a private registry proxy with a cooldown window on newly published versions. Move CI credentials to OIDC-based short-lived tokens. Implement egress allowlisting on your build runners, even if it starts permissive and tightens over time. Generate SBOMs for your built artifacts and store them somewhere queryable.

Table stakes for a security-conscious team: all of the above, plus provenance verification on the packages you depend on most, an actual playbook for "a dependency was compromised, what do we do in the next four hours," and someone whose job description includes paying attention to the OSS advisory feeds.

The thing I keep coming back to is that none of this is one tool. The node-ipc payload bypassed lifecycle scanning, bypassed maintainer reputation, bypassed corporate DNS logging, and would have bypassed npm audit on day zero. But it could not have bypassed all of registry cooldown, egress allowlisting, short-lived credentials, and provenance verification simultaneously. Defense in depth isn't a slogan, it's the only model that actually matches how these attacks unfold. Pick the next layer you don't have yet, and add it this quarter.