npm Supply Chain Audit: The Checklist Most Teams Stop Too Early

Originally posted on getcommit.dev.

In October 2021, ua-parser-js was used by Facebook, Microsoft, Amazon, and Google. It had 7 million weekly downloads. It had no reported CVEs. It had clean code and an active maintainer. Every security tool in the npm ecosystem reported: nothing wrong here.

Then the maintainer's npm token was compromised. A malicious release deployed a cryptominer and credential stealer to every CI pipeline and production server that ran npm install that day. The blast radius: four hours, millions of installs, Fortune 500 pipelines.

The same structural profile — single maintainer, massive download volume, clean code — was present before the attack. It was visible, computable from public data, and nobody was measuring it.

This is the gap most npm supply chain audits leave open.

npm Supply Chain Audit: The Checklist Most Teams Stop Too Early

Other newsrooms on this story

Related reading

Cache-poisoning caper turns TanStack npm packages toxic

Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6…

Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack

OpenAI caught in TanStack npm supply chain chaos after employee devices…

I built a dependency health scanner in a day. Here's what I shipped and what I…

Shai-Hulud keeps burrowing: 314 npm packages infected after another account…