SafeChain, a free open-source tool by Aikido Security, now enforces a minimum 24-hour age requirement on npm packages before installation. Any version published within the last 24 hours is held back and verified against Aikido Intel's threat pipeline before being allowed to install. If a version fails verification, SafeChain automatically falls back to the last known clean version without breaking builds. This addresses a recurring attack pattern seen in 2025 where attackers publish malicious versions and exploit the window before security tools can analyze them. SafeChain works with npm, npx, yarn, pnpm, Bun, and pip.
Table of contents
Why attackers focus on fresh versionsWhy we introduced a minimum package ageSafe Chain is the safe default for devsInstall Safe Chain TodaySort: