Supply Chain2026-05-28

160 npm Packages Compromised. Auto-Update Did This.

Attackers hijacked a maintainer token and pushed malicious code to 160+ npm packages. Every project with auto-update pulled it in automatically.

My take

This is not a zero-day. This is not some advanced persistent threat. Someone stole a token, probably from a .env file committed to a public repo, and pushed code that ran on install. The 'hack' was npm doing exactly what it was designed to do. Auto-update is a feature for attackers.

Terminal

~/security/notes

# audit your project for known vulnerable packages
$ npm audit --json | jq '.vulnerabilities | length'
14
# check what runs on install
$ npm show some-package scripts
{ preinstall: 'node ./setup.js', postinstall: 'node ./telemetry.js' }
# that postinstall is where the payload hides
# lock your versions. review what you pull in.
$ npm config set ignore-scripts true

Takeaway

Lock your dependency versions. Disable auto-install scripts. If you don't know what a package does on install, you don't know what you're running in production.

← All Notes Discuss