The npm account ai publishes seven packages. Combined, they install 964 million times per week:
Package
Weekly downloads
Publishers
Risk
The ai npm account controls postcss, nanoid, browserslist, caniuse-lite, autoprefixer, and more. All flagged CRITICAL. Zero OIDC provenance.
The npm account ai publishes seven packages. Combined, they install 964 million times per week:
Package
Weekly downloads
Publishers
Risk

One GitHub issue, nine days, four packages. Andrey Sitnik argued CI provenance makes things worse, then shipped Staged Publishing…

Stolen credentials produced valid Sigstore certificates, clearing 633 malicious npm packages — one of seven developer tool attack…

Originally posted on getcommit.dev. In October 2021, ua-parser-js was used by Facebook, Microsoft,...

The codexui-android npm package silently exfiltrated OpenAI Codex auth tokens to an attacker server for a month, affecting 29,000…

4 malicious npm packages with 3,006 downloads spread stealers and Phantom Bot, forcing removals and secret rotation.

Incident hitting npm users is likely the biggest supply-chain attack ever.