StepSecurity's monitoring platform flagged a legitimate npm release of @kilocode/cli that introduced two behavioral changes: missing npm provenance attestations (lost during a repository migration) and a newly added postinstall script that linked platform-specific binaries without checksum or signature verification. Though not malicious, these changes weakened established trust signals. The maintainers responded quickly and fixed the issues. The post explains why postinstall scripts are high-risk execution points, how provenance can silently disappear during pipeline changes, and why detecting behavioral deviations early matters for supply chain security. Best practices for npm maintainers are also outlined.
Table of contents
What We ObservedWhy This Was InterestingHow This Was DetectedBest Practices for npm MaintainersSort: