npm under siege (what to do about it) (Friends)

What It Covers

NPM faces unprecedented supply chain attacks in 2025, with billions of weekly downloads compromised through phishing, GitHub Actions exploits, and AI-powered malware. Socket Security's Feraz explains attack vectors, detection methods, and introduces Socket Firewall for real-time protection.

Key Questions Answered

• •Attack Scale: Over 1,700 confirmed typosquatting attacks detected in three years, with recent compromises affecting packages receiving 2-3 billion weekly downloads including Prettier, NX, and multiple Sindre Sorhus packages. Attackers stole approximately $500 in cryptocurrency despite massive reach, showing poor execution despite sophisticated access.
• •GitHub Actions Vulnerability: Attackers exploited pull_request_target trigger instead of pull_request in workflow files, combined with shell injection bugs, to steal NPM tokens from old branches. This perpetual vulnerability exists because historical GitHub Actions remain executable indefinitely through pull requests against archived branches, requiring manual GitHub support intervention to remove.
• •AI-Powered Malware: NX compromise used Claude and Gemini CLI tools with English prompts to scan file systems for sensitive data, triple base64-encoding stolen credentials to evade detection. This novel technique bypasses traditional pattern-matching security tools by using natural language instructions instead of recognizable malicious code patterns.
• •PNPM Delay Protection: Configure minimum_release_age setting to reject packages published within seven days, providing time for security vendors to detect malware before installation. This one-line configuration change offers significant protection against noisy attacks typically caught within hours or days, with override options for urgent security patches.
• •Socket Firewall Launch: New free tool (sfwpm install) routes package installations through local firewall checking for malware before allowing downloads. Works across NPM, Yarn, PNPM, Cargo, and Python package managers without API keys or rate limits, blocking malicious dependencies in real-time during development workflows.