Best of NPM — March 2026

1. 1
   Article

   Collections·7w

   Malicious axios versions 1.14.1 and 0.30.4 deploy a remote access trojan via supply chain attack

   Two malicious versions of axios (1.14.1 and 0.30.4) were published to npm on March 31, 2026, after an attacker hijacked a lead maintainer's npm credentials. The packages themselves were clean but pulled in a staged dependency, plain-crypto-js, which ran a postinstall script downloading platform-specific second-stage payloads from a C2 server. The payloads self-deleted after execution to hinder forensics. Socket detected the attack within minutes, Vercel blocked the C2 domain, and the versions were unpublished. Developers should check lockfiles and node_modules for the affected versions, rotate all secrets from affected environments, pin to safe versions, and add --ignore-scripts to CI npm installs. The incident highlights the systemic risk of unpinned dependencies in ecosystems where a single compromised maintainer account can affect hundreds of millions of weekly installs.

   426

   25
2. 2
   Article

   John Reilly·12w

   npmx.dev: with a little help from my friends

   A personal account of contributing to npmx.dev, a community-built reimagining of the npmjs.com website. The author discovered a UX bug where npm API rate limiting (HTTP 429) caused the site to incorrectly show packages as missing. Using Claude Code to help write Vue/Nuxt code despite limited framework experience, they submitted a PR that displayed a proper rate-limit message to users. The post highlights npmx.dev's welcoming contributor culture, its thoughtful AI usage guidelines in CONTRIBUTING.md, and encourages others to get involved.

   77
3. 3
   Video

   Web Dev Simplified·9w

   I Am Done Using NPM

   npmx is a web-based alternative search interface for the npm registry that offers significantly better search results (powered by Algolia), faster performance through caching, and additional package metadata not available on the standard npm website. Key extras include vulnerability and deprecation warnings, auto-generated TypeScript docs, automatic @types install commands, a package comparison tool, social likes for gauging popularity, and keyboard shortcuts. Importantly, npmx does not replace npm as a package installer — it only replaces the npm website for browsing and discovering packages.

   47

   9
4. 4
   Article

   The Register·11w

   npmx alternative to npmjs released to fix pain of rpm

   A new open source npm registry browser called npmx has launched in alpha, created by Nuxt lead Daniel Roe at Vercel. It aims to address longstanding UX frustrations with the official npmjs.com interface, including missing dark mode, poor dependency display, lack of TypeScript/ESM info, and broken browser navigation. Built with Nuxt and integrating Bluesky's AT Protocol for social features, the project attracted 1,000 contributions within two weeks. It is sponsored by Netlify and Bluesky, which awarded a $6,000 grant. Notably, npmx only improves the browsing experience and does not change the underlying npm registry or publishing process.

   17

   2
5. 5
   Article

   Hacker News·9w

   The Three Pillars of JavaScript Bloat

   JavaScript dependency trees have grown bloated over time due to three main causes: (1) packages built for very old engines (ES3/IE6) or cross-realm safety that most developers no longer need, (2) atomic architecture where trivial one-liners like `Array.isArray(val) ? val : [val]` became their own npm packages with single consumers and supply chain risks, and (3) ponyfills for features now natively supported everywhere that were never removed. Tools like knip, the e18e CLI, npmgraph, and the module-replacements project can help identify and eliminate this bloat. The author argues the small group needing legacy compatibility should maintain their own special stack, while the majority should benefit from modern, lightweight dependencies.

   19