Sources

div On September 8, 2025, the JavaScript ecosystem experienced what is now considered the largest supply chain attack in npm history. A sophisticated phishing campaign led to the compromise of a trusted maintainer’s account, resulting in the injection of cryptocurrency-stealing malware into 18+ foundational npm packages. These packages collectively accounted for **over 2 billion weekly downloads**, affecting millions of applications globally—from personal projects to enterprise-grade systems. … ##### RecommendationscoFor developers & teams: - Use npm ci instead of npm install to enforce lockfile integrity. - Pin package versions using overrides in package.json. - Audit dependencies regularly with tools like npm audit, Snyk, or Socket.dev. - Review lockfile changes in pull requests. - Enable 2FA with hardware keys for all maintainer accounts.

And, aside from bloating my project file sizes from time to time, I haven't faced any serious issues. At least not yet. But that's not to say that you won't face any issues. Because NPM isn't foolproof and there are some potential issues that can spring up that can make for a bad development day. Corrupted modules Just recently two very popular NPM libraries came under scrutiny after it's developer seemingly corrupted the source code essentially breaking many builds around the world. Faker.js and Colors.js are two heavily used utility libraries that help developers with writing their code. Faker.js can generate random data for testing purposes and colors.js allows for style editing on a developers console window. … I don't personally use either of these myself. Needless to say, alot of developers were mad when they woke up that morning to sporadic error messages. While builds failed around the world and programmers brewed their second pots of coffee, GitHub moved quickly and released a security advisory informing developers that they should downgrade to the previous functional version. … Developers make mistakes and they deploy broken code to production all the time. If 2 or 3 people are using that library, then it isn't really a big deal. But if millions of developers are relying on this code that often times is only managed by 1 or 2 people, then there is a problem. … And often times, these small modules end up getting used by millions of people worldwide, including mega corporations. Add patent lawsuits to the equation, and no developer would be blamed for deciding to step away.Versioning This is both a great feature and a troublesome feature when it comes to relying on NPM dependencies.Well maintained code will usually go through various phases of revisions as developers add and features and improve performance.Sometimes however that revision includes completely removing methods altogether from the library. … Functions were removed, others were renamed and new ones were added.This meant, once again, broken builds. The benefit of NPM is that you can easily revert back to an older version whenever you wish. But that also means that you might find yourself with outdated libraries in a dependency soup at some point in the future.Note that this isn't solely an NPM issue. If you were managing modules and libraries yourself manually, you would still end up very much with the same issues.But because NPM makes updating and installing such a simple task, you might find that conflicts occur more frequently.LastlyIf you're using NPM, don't stop using NPM.

## The Current State: A Security Disaster Waiting to Happen Let's be honest about what we're dealing with. Today's package ecosystems operate on a foundation of trust that's fundamentally incompatible with the reality of modern software supply chains: - **Anyone can publish anything** with minimal verification - **Updates can be instant** with no cooling-off period for review - **Dependencies nest infinitely** creating attack surfaces developers never see - **Maintainer accounts are single points of failure** protected only by traditional 2FA … ### 3. Phishing-Resistant Authentication **Stop using TOTP codes.** They're fundamentally phishable and inadequate for critical infrastructure. - **Passkeys/WebAuthn only** for package publishing - **Hardware security keys** for npm accounts - **Domain-bound authentication** that can't be proxied Passkeys are unphishable by design because they're cryptographically bound to the correct domain. An attacker can create a perfect replica of npmjs.com, but they can't make passkeys work on npmjs.help. … ### 5. Transparent Build Processes **Source code should match published packages.** The disconnect between GitHub repositories and npm packages is a massive security hole. - **Provenance attestation** linking packages to source commits - **Reproducible builds** that can be verified by third parties - **Automated scanning** of source-to-package differences

## TL;DR The npm ecosystem seems unwell. If you are concerned with security, reliability, or long-term maintenance, it is almost impossible to pick a suitable package to use — both because there are 1.3 million packages available, and even if you find one that is well documented and maintained, it might depend on hundreds of other packages, with dependency trees stretching ten or more levels deep — as one developer, it’s impossible to validate them all. … ## The premise I don’t like the way I feel when I’m installing packages with npm. Selecting a package, installing it, discovering the 93 additional packages that were installed along with it, and hoping all of *them* are also suitable for my project… it feels out of control. I feel unhappy because picking dependencies is hard, so I blame npm, and that way my problems are not my fault. … So while I am less concerned with packages having large and deep `devDependency` trees (I *am* still concerned, but less so), it seems that a large proportion of packages aren’t making use of the distinctions between `dependencies` and `devDependencies` in the first place. That *is* concerning. ## Dependency tree depths I am defining the depth of a package’s dependency tree as the longest dependency-of-a-dependency-of-a-dependency chain I can find. Especially deep dependency trees are a problem because of how difficult they make it to audit all the packages that will get installed when including a single new package. The *average* dependency tree depth in npmjs.org is just under 4. Which doesn’t sound too bad! … **Imagined:** ... Remember that we were hoping for mostly 2, 3, and 4. Instead, there is still a long tail of packages with tree depths *above 20*. 20 is… much larger than I was expecting, and I was expecting to be disappointed. … ## Experiment conclusions Certainly, npm doesn’t match my hoped-for “healthy” qualities. You can take that to mean my desires are unrealistic, or that something is genuinely wrong. As homework for the reader: an easy way to disprove my analysis would be to show that other package repositories have the same issues: cycles, high depth, high indirect dependencies, a large proportion of unmaintained packages, packages from the statistical tails among the most-used, etc. … None of these things are bad! I am glad javascript is popular; I am glad npm made a thoughtful and easy way to publish packages; I am glad we fixed the impermanent-package dangers that `left-pad` so dramatically exposed. But the collection of these observations, combined with human nature, results in npmjs.org having 5 times more packages than PyPI, a huge number of which are undocumented, maintained, unused, or nonsensical. Even among the popular and frequently maintained packages, you’ll find packages with vast numbers of dependencies, including dependencies with security issues, deprecations, circular dependencies, and so on.

### The Core of the Problem: Managing Node Modules Every package manager for JavaScript solves the same core issue: downloading dependencies from the npm registry and making sure they play nicely together in a project. This may sound like a simple thing to do, but the Node.js ecosystem is notorious for deep, bloated node_modules trees, long install times, and version conflicts. That’s where these tools start to differentiate. … ### Developer Preferences in 2025 Surveys and GitHub trends show that PNPM has surged in popularity over the past two years. While NPM still dominates due to default usage with Node.js, many mid-size to large teams are switching to PNPM for better performance and stricter dependency isolation. Yarn remains strong in enterprise settings and monorepos, but its PnP system and complexity can turn off devs who want simplicity.

In software development, consistency and stability are critical — especially when managing dependencies. However, NPM’s default behavior when installing packages—using the caret ( `^`) in `package.json` — creates a fragile environment that often leads to frustrating issues for developers. Idempotent and reproducible dependency management should be the standard experience by default, but NPM’s use of `^` undermines this goal. Here’s why it’s time to rethink the default use of caret versioning in NPM, and how it sets developers up for future pain, particularly given the complexities of semantic versioning (semver). … This means that any future installation can upgrade the `lodash` dependency to anything below `5.0.0`. While this aims to provide developers with bug fixes and new features without manual intervention, it introduces significant risks: **unexpected changes**, **hidden regressions**, and **version incompatibilities** in complex projects. ## 1. Semver is Hard—and NPM Makes it Harder Semantic versioning (semver) is designed to make versioning predictable: major versions introduce breaking changes, minor versions add features, and patches fix bugs. However, not all packages in the JavaScript ecosystem strictly adhere to semver rules. Accidental breaking changes are common, even in minor or patch versions. By defaulting to `^`, NPM shifts the burden of semver compliance onto developers, who must constantly monitor updates to avoid potential breakages. This behavior creates unpredictable outcomes that often surface in production or CI pipelines. **NPM’s default makes the promise of semver nearly impossible to uphold**, resulting in wasted time troubleshooting issues that stem from unintended updates. … ## 3. ^ is a Time Bomb Waiting to Go Off The flexibility provided by ^ introduces risks that compound over time. Here’s why: **Invisible Updates**: Dependencies can be updated silently, resulting in unexpected issues. **Version Conflicts**: As the dependency tree grows, conflicts arise between direct and transitive dependencies. … ## Conclusion NPM’s default use of the caret ( `^`) for versioning creates more problems than it solves. In an ideal world, semantic versioning would work flawlessly, but in reality, **semver is hard** — and NPM’s current behavior makes it even harder by encouraging version drift and unpredictable builds. A reproducible, idempotent developer experience should be the default, not the exception. By shifting to `--save-exact`, NPM would align with practices of more stable ecosystems like Go and NuGet. ... The minor

a mixed-methods approach to analyzing their responses. Results: While developers prioritize security, they perceive their packages as only moderately secure, with concerns about supply chain attacks, dependency vulnerabilities, and malicious code. Only 40% are satis- fied with the current npm security tools due to issues such as alert fatigue. Automated methods such as two-factor authentication and npm audit are favored over code reviews. Many drop dependen- cies due to abandonment or vulnerabilities, and typically respond to vulnerabilities in their packages by quickly releasing patches. Key barriers include time constraints and high false-positive rates. To improve npm security, developers seek better detection tools, clearer documentation, stronger account protections, and more … bilities [29]. This RQ identifies technical, organizational, and human ... RQ4: What improvements should be prioritized to strengthen security for npm packages? - Software security interventions often fail without practitioner input [28]. In this RQ, we gather … main concern, followed closely by dependency vulnerabilities and malicious code injection, which are ranked second and third, re- spectively. In addition, the two top-ranked threats received very similar scores, indicating a high level of concern among developers. Next, respondents were presented with an optional free-text response question (#12) to specify other areas they perceive as sig- … caused by “too much noise” in security notifications, where the volume of alerts can make it difficult to identify and prioritize genuine security threats. • Ecosystem Fragmentation. Ensuring support for multiple pack- age managers (e.g., npm, pnpm, yarn) and JavaScript runtimes (e.g., Node, Deno, Bun) can make package maintenance challeng- ing, which can distract developers from security concerns. • Malicious Code Execution. One primary concern raised by respondents is the automatic execution of post-install scripts by … being unclear. Some of the key reasons for dissatisfaction include: • Tool Noise and Alert Fatigue. Respondents complained that security scanners generate too many false positives or contextu- ally irrelevant warnings, as one respondent noted, “The security scanning system in npm is a complete joke and more of a nuisance than anything. 99% of the “vulnerabilities” are idiotic and not wor- … mon coding mistakes or patterns that lead to vulnerabilities. For instance, one participant highlighted the absence of “common mistake scanning (pattern matching, etc.),” while another criticized that “tooling feels primitive and buggy.” • Limited Tool Awareness. Some respondents admitted that they lacked knowledge about available tools, with responses like “Do … dependency vulnerabilities, and malicious code injection. Only 40% of developers are satisfied with the current security tools for npm packages. Common issues include alert fatigue, feature gaps, and a lack of awareness about available tools. 4.2 RQ2: What security practices and tools do npm developers leverage in building and … As shown in Table 7, respondents most frequently cited time constraints as a key barrier (49 responses; 26.2%). Other notable challenges included difficulty keeping up with security updates and emerging threats (33; 17.6%) and the complexity of managing dependencies (23; 12.3%). Insufficient community support was the … Difficulty keeping up with security updates and threats 33 17.65% Complexity of managing dependencies 23 12.30% Lack of awareness or understanding of se- curity best practices 19 10.16% Limited access to security resources 17 9.09% Table 8: Top five developer challenges with security tools. … 16.38% Other 10 8.62% At the tool level (Table 8), the obstacle most frequently reported was a high false-positive rate in security scans (35 responses; 30.2%), followed by inaccurate vulnerability detection and limited automa- tion for dependency management. The least reported issue was in- tegration difficulties with CI/CD pipelines (7 responses). Comments in the “Other” category included licensing constraints, overreliance on dependencies, and tools limited to static analysis. Summary for RQ3. Time constraints are the most frequently cited barrier to secure package development, with other challenges in- cluding difficulties in keeping up with security updates and man- aging dependencies. At the tool level, a high false-positive rate in security scans was the most frequently reported issue, while CI/CD integration issues are comparatively rare. 4.4 RQ4: What improvements should be prioritized to strengthen security for npm packages? While the prior RQs focused on current perceptions, practices, and

In software development, consistency and stability are critical — especially when managing dependencies. However, NPM’s default behavior when installing packages—using the caret ( `^`) in `package.json` — creates a fragile environment that often leads to frustrating issues for developers. Idempotent and reproducible dependency management should be the standard experience by default, but NPM’s use of `^` undermines this goal. Here’s why it’s time to rethink the default use of caret versioning in NPM, and how it sets developers up for future pain, particularly given the complexities of semantic versioning (semver). … This means that any future installation can upgrade the `lodash` dependency to anything below `5.0.0`. While this aims to provide developers with bug fixes and new features without manual intervention, it introduces significant risks: **unexpected changes**, **hidden regressions**, and **version incompatibilities** in complex projects. ## 1. Semver is Hard—and NPM Makes it Harder Semantic versioning (semver) is designed to make versioning predictable: major versions introduce breaking changes, minor versions add features, and patches fix bugs. However, not all packages in the JavaScript ecosystem strictly adhere to semver rules. Accidental breaking changes are common, even in minor or patch versions. By defaulting to `^`, NPM shifts the burden of semver compliance onto developers, who must constantly monitor updates to avoid potential breakages. This behavior creates unpredictable outcomes that often surface in production or CI pipelines. **NPM’s default makes the promise of semver nearly impossible to uphold**, resulting in wasted time troubleshooting issues that stem from unintended updates. … ## 3. ^ is a Time Bomb Waiting to Go Off The flexibility provided by ^ introduces risks that compound over time. Here’s why: **Invisible Updates**: Dependencies can be updated silently, resulting in unexpected issues. **Version Conflicts**: As the dependency tree grows, conflicts arise between direct and transitive dependencies. **CI Pipeline Failures**: Even if code works locally, a new patch version of a dependency may cause unexpected CI build failures. … ## Conclusion NPM’s default use of the caret ( `^`) for versioning creates more problems than it solves. In an ideal world, semantic versioning would work flawlessly, but in reality, **semver is hard** — and NPM’s current behavior makes it even harder by encouraging version drift and unpredictable builds. A reproducible, idempotent developer experience should be the default, not the exception.

`package.json` which will satisfy a dependency), it is all but impossible to say exactly *what* you’ll get *a priori*, as large parts of the dependency graph may change substantially between package versions. Really, all of this simply compounds the root problem: well meaning development principles have been pushed to their logical extreme. This ultimately makes simply understanding what you’ll get with a given install an almost impossibly hard problem. This is doubly true if you want to develop anything more than a cursory understanding of the stuff that sits upstream from your development efforts – not mentioning the authors and maintainers *behind* those packages. … ### It Only Gets Worse While all of this seems bad enough, what about updates to those 7,000 existing packages? Even if we have undeniable proof that all of the authors sitting upstream are honest and well intentioned, what happens if they suffer a credential breach, like the relatively-recent one suffered by Docker Hub? Additionally, what if their account credentials are compromised in some other way? … *thousands* of third party dependencies for a single library is astronomical – especially when you consider that many of those packages (especially in the NPM ecosystem) are less than 5 (not 500, or 5k, but 5) Source Lines Of Code (SLOC) in length. While that is generally not a great measure of effectiveness, the risk/reward and maintenance trade-offs of incorporating libraries which have many times more text in licenses and packaging files (such as build files, manifests, etc) than what resides within the body of the package itself is absolutely terrible.

a mixed-methods approach to analyzing their responses. Results: While developers prioritize security, they perceive their packages as only moderately secure, with concerns about supply chain attacks, dependency vulnerabilities, and malicious code. Only 40% are satis- fied with the current npm security tools due to issues such as alert fatigue. Automated methods such as two-factor authentication and npm audit are favored over code reviews. Many drop dependen- cies due to abandonment or vulnerabilities, and typically respond to vulnerabilities in their packages by quickly releasing patches. Key barriers include time constraints and high false-positive rates. To improve npm security, developers seek better detection tools, clearer documentation, stronger account protections, and more … age developers utilize security tools, identifying common and rare practices, gaps hindering adoption, deviations from guidelines, and practices needing redesign or better advocacy. RQ3: What barriers hinder the secure development and main- tenance of npm packages? ... age abandonment, popularity, dependency structures, or contribu- tion practices. In addition, we examine not only developers’ security perceptions but also the concrete practices, tools, and barriers they face when building and maintaining secure npm packages. Beyond confirming the fragilities of the npm ecosystem, our findings re- … main concern, followed closely by dependency vulnerabilities and malicious code injection, which are ranked second and third, re- spectively. In addition, the two top-ranked threats received very similar scores, indicating a high level of concern among developers. Next, respondents were presented with an optional free-text response question (#12) to specify other areas they perceive as sig- nificant security threats to npm packages. We received 12 responses to this question, and a thematic analysis of their responses revealed concerns related to both technical vulnerabilities and human factors. The themes identified are: • Developer Security Knowledge Deficit. Gaps in security edu- cation can lead to unsafe practices (e.g., “many people are doing … caused by “too much noise” in security notifications, where the volume of alerts can make it difficult to identify and prioritize genuine security threats. • Ecosystem Fragmentation. Ensuring support for multiple pack- age managers (e.g., npm, pnpm, yarn) and JavaScript runtimes (e.g., Node, Deno, Bun) can make package maintenance challeng- … • Package Maintainer Trust. Respondents expressed concerns regarding package maintainers, including those who intention- ally insert malicious code, as well as those whose behavior might not be malicious but still creates security risks (e.g., “drunk, or crazy package maintainers”). • Dependency Freshness Challenges. Widely used but unmain- … being unclear. Some of the key reasons for dissatisfaction include: • Tool Noise and Alert Fatigue. Respondents complained that security scanners generate too many false positives or contextu- ally irrelevant warnings, as one respondent noted, “The security scanning system in npm is a complete joke and more of a nuisance than anything. 99% of the “vulnerabilities” are idiotic and not wor- … mon coding mistakes or patterns that lead to vulnerabilities. For instance, one participant highlighted the absence of “common mistake scanning (pattern matching, etc.),” while another criticized that “tooling feels primitive and buggy.” • Limited Tool Awareness. Some respondents admitted that they lacked knowledge about available tools, with responses like “Do … dependency vulnerabilities, and malicious code injection. Only 40% of developers are satisfied with the current security tools for npm packages. Common issues include alert fatigue, feature gaps, and a lack of awareness about available tools. 4.2 RQ2: What security practices and tools do npm developers leverage in building and … As shown in Table 7, respondents most frequently cited time constraints as a key barrier (49 responses; 26.2%). Other notable challenges included difficulty keeping up with security updates and emerging threats (33; 17.6%) and the complexity of managing dependencies (23; 12.3%). Insufficient community support was the … Difficulty keeping up with security updates and threats 33 17.65% Complexity of managing dependencies 23 12.30% Lack of awareness or understanding of se- curity best practices 19 10.16% Limited access to security resources 17 9.09% Table 8: Top five developer challenges with security tools.

RedMonk has been following package management forever, but what has only become more true in 2025 is that building modern applications requires pulling down and managing a boatload of dependencies. Running the command npm install in the CLI for a React Native project, for instance, can add close to 1,500 dependencies to the package.json file. … Meanwhile, developer forums on Reddit and Hacker News are awash with stories about malicious and spam npm packages. In addition to the lottie-player library exploit, which Jakub Pavlík, co-founder & head of engineering at Exaforce, explains: “highlighted the fragility of the NPM ecosystem’s security,” Phylum Research’s “The Great npm Garbage Patch” discusses: “the proliferation of spam packages in npm associated with the Tea protocol, a decentralized initiative that promises to compensate software developers in cryptocurrency for their open-source contributions.” … The Node community is particularly concerned about the state of npm. According to Robin Bender Ginn, Executive Director of the OpenJS Foundation: > JavaScript developer communities are telling us that they see real or perceived security and performance gaps with npm/GitHub. Consequently, the JavaScript ecosystem risks fragmentation, with new package registries emerging. This outcome is less than ideal due to the significant burden of maintaining registries, potential interoperability challenges, and evolving security compliance requirements.

**TL;DR:** The npm ecosystem is dangerously fragile. The September 2025 attack exposed deep, systemic flaws in how we manage and secure open source packages. Fixing this requires more than patching vulnerabilities—we need structural reforms, from governance to cryptographic safeguards. The npm package registry is the beating heart of modern software development. But in September 2025, that heart skipped a beat. A coordinated attack compromised several high-traffic npm packages, affecting projects downloaded over 2 billion times. While the breach was detected quickly, the implications run far deeper than a single incident. ... When attackers breached multiple npm packages—some with billions of downloads—they didn’t just exploit individual weaknesses. They exposed systemic issues in how the ecosystem operates. According to OX Security’s analysis, attackers used social engineering and credential theft to gain access to maintainer accounts. ... It was a failure of the system that puts critical infrastructure in the hands of unpaid volunteers with few safeguards. ### Why the Current npm Model Is Broken The npm ecosystem relies on a few core assumptions that no longer hold up under scrutiny: #### 1. **Single Maintainer Control Is a Risk** Many popular packages are maintained by one or two individuals. If their credentials are compromised—or if they burn out—the entire chain of dependent software is at risk. We need **multi-party authorization** for publishing updates to high-impact packages. #### 2. **Lack of Cryptographic Verification** Right now, anyone with access to a maintainer account can publish a new version of a package. Without **cryptographic package signing using hardware security keys**, there’s no end-to-end trust in what developers are installing. #### 3. **Weak Authentication Practices** The attack succeeded in part due to phishing and weak authentication. For critical packages, we need **phishing-resistant authentication**, such as mandatory hardware tokens or biometric verification. #### 4. **No Economic Support for Maintainers** Expecting unpaid individuals to secure core infrastructure is unrealistic. We need **economic models** that provide sustainable funding for security audits, maintenance, and incident response. #### 5. **Orphaned Packages Create Risk** When maintainers step away, critical packages can become orphaned. Without a **governance structure** to take over responsibility, these packages become soft targets for attackers. #### 6. **Manual Security Reviews Don’t Scale** Given the volume of updates, **automated security review processes** are essential. These can flag anomalies, detect malicious patterns, and reduce the burden on human reviewers. #### 7. **No Community-Led Oversight** We need **community-driven security committees** for widely used packages like `chalk`, `debug`, and `lodash`. These groups can provide oversight, coordinate responses, and enforce best practices. ### Key Takeaways **Centralized control is a vulnerability**: Critical packages should require multi-party approval for updates. **Trust must be verifiable**: Implement cryptographic signing and hardware-based authentication. **Security requires resources**: Fund and support maintainers of essential packages. **Governance matters**: Create fallback structures for maintaining orphaned or high-risk dependencies. **Scale with automation**: Use automated tools to review and flag suspicious updates. … • Continuous Integration and Continuous Deployment (CI/CD): Building a Better Future One Commit at a Time – CI/CD practices are closely tied to npm workflows; this article explores how better tooling and automation can solve ecosystem pain points such as dependency issues and deployment reliability. • Why “Move Fast and Break Things” Might Break Your Business – This piece critiques the rapid iteration culture that often leads to fragile package ecosystems, offering a philosophical counterpoint relevant to npm’s current challenges and the need for more responsible development practices.