massive campaign for 170+ packages and 400+ malicious versions published. what we saw that not a single maintainer account compromised. tanStack and Mistral AI these are the names that stand out.
25·2 days ago- Use lockfiles
- Use minimum release age gating
- Disable postinstall hooks
- Limit credentials of CI jobs, especially ones that eagerly update deps
- Disable dep-updating features completely (at the network level if you can) when deploying to higher envs
- Be skeptical of standalone CLIs — they often try to self-update, or bootstrap deps from npm, and don’t always use lockfiles to manage it