npm supply chain attacks are increasing, including a typosquat package mimicking Supabase. The post explains how these attacks work (maintainer compromise, typosquatting, build pipeline poisoning like the TanStack incident) and provides concrete defensive steps: upgrading to pnpm 11 with minimumReleaseAge set to 3-7 days, pinning exact versions for sensitive dependencies, committing and reviewing lockfiles, disabling install scripts where possible, verifying package names before installing, pinning GitHub Actions to commit SHAs, avoiding pull_request_target with code checkout, rotating credentials after suspected exposure, and using scanners like Socket.dev as a secondary defense.
Table of contents
What we are doing about it at Supabase #How npm supply chain attacks actually happen #Other things you should do today #Closing thought #Prompt for your coding agent #Sort: