What You Will Read in This Blog
- 🔥 “This company is sleeping” – The exact moment we realized NPM doesn’t care
- ⏱️ 5 minutes to publish malware – Live walkthrough with zero security checks
- 🎭 Fake everything – Fake author, fake GitHub link, fake download counts (yes, easily)
- 💀 Real attacks – Axios got hacked. 1,800 packages got infected.
- 🛡️ How to not get owned – 5 brutal, practical defenses
- 🎬 David Dobrik-level pullout – Yes, I’m putting the drama in cybersecurity
The Pullout: “This Company Is Sleeping”
Let me rewind. I was watching a live session with engineer Raj Dave. He opened VS Code, typed a few lines, and said:
“I will create an NPM package. I will fake the author name. I will fake the repository URL. I will run virtual machines to fake download counts. NPM will not check anything.”
Then he hit publish.
It worked.
He turned to the camera and dropped the line that made my stomach turn:
“This company is sleeping. NPM doesn’t care. Zero security checks. Publish whatever you want.”
He wasn’t exaggerating.
The 5-Minute Malware Publish (Step by Step)
I watched Raj do this in real time. Here’s what happened:
| Step | What Raj Did | What NPM Did |
|---|---|---|
| 1 | Wrote "author": "Fake Hacker" | ✅ Allowed it |
| 2 | Wrote "repository": "https://github.com/axios/axios" | ✅ Allowed it |
| 3 | Published with npm publish | ✅ No scan, no virus check, no questions |
| 4 | Could easily fake 10k downloads with VMs | ✅ NPM has no defense |
Total time: Under 5 minutes.
“NPM did not even run an Antes Security checks or anything,” Raj said. “So, that’s very scary and funny at the same time. You can literally do anything with code.”
Funny? Sure. Scary? Absolutely.
This Isn’t a Joke – It’s Already Happening
You think I’m being dramatic? Let me hit you with real attacks:
🔴 Axios (2021) – One of the most downloaded packages on Earth (20M+ weekly downloads). A maintainer’s account got phished. Malicious version was live for 3 hours. Anyone who ran npm install axios during that window potentially installed a Remote Access Trojan.
🔴 Shai-Hulud (2024) – Over 1,800 packages infected across npm and Maven. Attackers used postinstall scripts to scrape environment variables – AWS keys, cloud secrets, everything.
🔴 Fake downloads are real – “What I will do is I will run some virtual machines and generate some fake amount of downloads,” Raj admitted. “That is completely possible and I totally agree with you.”
So when you see a package with 10k weekly downloads? Could be legit. Could be a hacker with a script and 20 minutes.
🛡️ How to Not Get Owned (5 Brutal Steps)
You want to keep your cloud secrets safe? Do this. Right now.
1. Add two lines to .npmrc
Create or edit .npmrc in your project root:
ignore-scripts=true
min-release-age=7ignore-scripts=true→ Blockspreinstall/postinstallmalware from running automatically.min-release-age=7→ Prevents npm from installing any package version less than 7 days old.
This alone stops 90% of supply chain attacks.
2. Turn on 2FA – The Right Way
Go to npm → Account Settings → 2FA. Select “2FA for both authentication and publishing”.
Not just login. Publishing. This means even if your password leaks, hackers can’t push malicious updates.
3. Stop trusting download counts
Raj showed you can fake them. Do this instead:
- ✅ Check the last release date (recent = maintained)
- ✅ Look for TypeScript types (
.d.tsfiles) - ✅ Read the
package.jsonscripts – anypostinstall? Investigate.
4. Run npm audit weekly
npm audit
npm audit fixIt checks your entire dependency tree against the National Vulnerability Database. Free. Built-in. Use it.
5. Never store long-lived tokens
That “bypass 2FA for CI/CD” token? It’s real. And dangerous. If it leaks (and they do – people commit them to GitHub by accident), attackers can publish as you.
Solution: Use short-lived tokens or GitHub Actions’ built-in npm authentication.
The Final Cut
Raj ended the session with this:
“Hopefully if someone from NPM is watching this video… they need to do some validation before they ask someone to publish their package.”
I’ll say it louder:
No pre-publish malware scan. No author verification. No download count legitimacy check. Just trust – blind, dangerous trust.
Until they wake up, it’s on you.
Add ignore-scripts=true to your .npmrc right now. Takes 10 seconds.
Or don’t. And maybe next time you run npm install, you’re also installing a keylogger.
Your call.
Want to see the full live walkthrough? Watch Raj Dave publish an npm package while laughing about how easy it is to hack the system.
Extras:
npm Security Updates: What Developers Need to Know in 2026
npm v12 Security Overhaul – Major Changes Coming
1. GitHub Announces npm v12 Security Overhaul (June 2026)
The upcoming npm v12 release, expected in July 2026, will disable automatic execution of installation scripts by default. This is one of the biggest changes aimed at stopping supply chain attacks.
2. Upcoming Breaking Changes for npm v12
Use the new command npm approve-scripts --allow-scripts-pending to review packages with scripts, approve trusted ones, and save the settings in your package.json.
3. Preparing for npm v12 – Timeline
- npm 11.16.0 (Available now): Warnings enabled by default, strict mode opt-in
- npm 12 (July 2026):
allowScriptsturned off by default
4. GitHub to Automatically Disable npm Install Scripts
The change will block automatic script execution to reduce supply chain risks. Developers can use the new npm approve-scripts command to audit dependencies.
5. Automatic Controls Against Malicious npm Scripts
These protections are currently available as warnings in npm 11.16.0+. They will become the default behavior in npm v12.
Shai-Hulud Worm & Active Supply Chain Attacks
6. Over 100 NPM and PyPI Packages Hit by New Shai-Hulud Variants (June 2026)
New variants named Miasma and Hades continue to target the npm and PyPI ecosystems.
7. Mini Shai-Hulud Supply Chain Attack (CVE-2026-45321)
A credential-stealing campaign active from September 2025 to May 2026 targeting developers.
8. Shai-Hulud Copycats After Source Code Leak
Modified versions of the worm are already being used in new attacks.
9. Official Mitigation Repository
10. npm Threat Landscape – Palo Alto Unit 42 (June 2026)
Recent attack compromised 32 packages under the @redhat-cloud-services namespace.
Axios RAT Attack (March 2025)
11. The Axios Breach – Maintainer Account Takeover
12. Axios Supply Chain Attack Impact
Compromised versions remained undetected for 174 minutes and installed RAT malware.
13. Supply Chain Attacks in 2025/2026 – Lessons Learned
PhantomRaven Campaign (2025)
14. PhantomRaven Malware in 126 npm Packages
Over 86,000 downloads recorded while stealing GitHub tokens.
15. MAL-2025-49100 – dynamic-import-node
16. PhantomRaven Evolution – Sonatype
npm Security Best Practices & Hardening
17. npm Security Best Practices (Liran Tal)
- Use
ignore-scripts=true - Set
min-release-age=30(block packages newer than 30 days)
18. Official NPM/Yarn Hardening Guide
- Configure minimum release age (7+ days)
- Always consider
--ignore-scripts
19. npm Supply Chain Security in 2026
Comparison of protection offered by npm, Yarn, and pnpm.
Additional npm Security News
20. npm Adds 2FA-Gated Publishing (May 2026)
21. npm Supply Chain Hardening Progress (Feb 2026)
Read More here: Blogs
Henil Mistry