BREAKING
8h agoAmazon Earnings, Trainium and Commodity Markets, Additional Amazon Notes///8h agoWomen sue the men who used their Instagram feed to create AI porn influencers///8h agoFast16 Malware///8h agoAmazon Earnings, Trainium and Commodity Markets, Additional Amazon Notes///8h agoWomen sue the men who used their Instagram feed to create AI porn influencers///8h agoFast16 Malware///
BACK TO GLOSSARY
PRDProductsInfrastructure

NPM

15 mentions across all digests

npm is the JavaScript package registry and package manager with 100 million weekly downloads that was the target of a March 2026 supply chain attack compromising the widely used axios package with a remote access trojan.

/// Stats
First Seen2026-03-24
Last Seen2026-05-01
Total Mentions15
Subject Mentions3
Last 7 Days2
Sources6
Peak Relevance5/5
Active Predictions3
/// Recent Stories
2026-04-23HIGH

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Bitwarden CLI's npm package was poisoned through a compromised GitHub Action in a supply chain attack affecting 10M+ users, with the malicious code sharing infrastructure with other Checkmarx campaign tools.

2026-03-31HIGH

Anthropic goes nude, exposes Claude Code source by accident

Anthropic accidentally exposed Claude Code's complete source (~1,900 TypeScript files, 512K+ LOC) through an unobfuscated npm source map, which was mirrored across 41,500+ GitHub forks before removal.

2026-04-29HIGH

Before GitHub

Armin Ronacher questions GitHub's future under Microsoft stewardship, tracing how it transformed open source but accidentally enabled the micro-dependency explosion and may be superseded.

2026-04-26HIGH

Npm Slop & Wonky Software Supply Chains

npm and pip registries lack provenance verification for uploaded bundles, creating exploitable supply chain vulnerabilities that source-reproducible builds cannot practically mitigate.

2026-04-21HIGH

Features everyone should steal from npmx

npmx's viral adoption (1,000+ PRs, 100+ contributors in weeks) forced npm to finally ship dark mode—a 5-year-old request—and adopt UX patterns like dependency vulnerability trees and version diffing.

/// Predictions
2
medium

At least one major package registry (npm, PyPI, VS Code Marketplace, or Chrome Web Store) will announce new policies specifically targeting malicious acquisitions of legitimate packages/extensions — requiring ownership transfer review or mandatory re-audit — by end of May 2026, citing the Essential Plugin WordPress backdoor as precedent.

REFUTED2026-04-16
medium

npm will announce mandatory provenance attestation, package signing, or enhanced 2FA requirements for packages exceeding 50K weekly downloads by end of June 2026, following the JavaScript AI toolchain supply chain attack cluster targeting NPM/Axios/plain-crypto-js.

PENDING2026-04-05
/// Connected Entities
PRDAxios
5 shared
ORGGitHub
4 shared
PRDplain-crypto-js
4 shared
PRDClaude Code
2 shared
ORGMicrosoft
2 shared
ORGAnthropic
2 shared
PRDGitHub Actions
2 shared
CONsupply chain attack
2 shared
ORGSocket
2 shared
PRDnpmjs.com
2 shared