Tag

#npm

3 posts tagged #npm.

Analysis · May 17, 2026 · Colten Anderson

The malware was signed. The signature was real. The package was poison.

TanStack's npm release pipeline published 84 malicious package versions with valid SLSA provenance. The attestation was correct. It just wasn't the question that mattered.
Analysis · May 12, 2026 · Colten Anderson

What 14 days of TeamPCP told us about registry defense in 2026

Five compromises across two ecosystems in six weeks, then a 169-package npm wave on May 11. One threat actor, two very different defensive postures. The pattern is the point.
Analysis · May 4, 2026 · Colten Anderson

Three hours was the good outcome: npm's trust model and the Axios compromise

A DPRK threat actor backdoored two Axios versions on npm. Socket flagged the malicious dependency in six minutes. Nothing stopped the downstream publish fifteen minutes later. The system worked exactly as designed.