[BUG] <title>Subsequent malware attacks and security issues in the npm supply chain

[seniorit]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Subsequent malware attacks and security issues in the npm supply chain

Recently, the npm ecosystem has suffered several supply chain attacks shortly after its launch, and this has been widely reported in the Spanish-speaking community by people like midudev 🧐👍😄

Apart from removing the carets, we have no other option, but it doesn't solve the underlying problem. I created my own implementation for my private projects, which isn't the best solution, but it works for me for now. However, I would like to know how we can collaborate or contribute to making the npm platform, which is the benchmark in the nodejs ecosystem, more secure for all of us who use it and the community in general.

Finally, I would appreciate it if you could indicate if you have already contacted an issue regarding this specific topic. 😎

Environment

• npm:11.5.2
• Node.js: v22.19.0
• OS Name: Fedora Linux 42
• System Model Name:Lenovo IdeaPad Core i7-13620H

[Lorondos]

The option I have seen taken by a few now (including us) is to have a minimum age period of pulling new packages releases (3 days as one example but that would be configurable)

pnpm have already implemented a feature at a package manager level: pnpm/pnpm#9921 - https://pnpm.io/settings#minimumreleaseage.

Artifactories are also implementing package delay policies such as JFrog have done, a minimum delay before picking up npm packages for publishing.

[Lorondos]

Already an open issue on this specifically regarding the pnpm implementation: #8570

Edit: Fairly good conversation already ongoing on npm/rfcs#646

[trcoffman]

They should require 2fa to submit packages. The fact that malware can push to npm without a human having to do 2fa is crazy.

[Lorondos]

This is more for projects themselves but having PR requirements where another person must approve a release before it gets published would be good, even mandatory AI scans that if they pick up any suspicious logic, flags it for peer review and makes it difficult to publish until manual intervention/review has been done.

[twesterhuys]

Artifactories are also implementing package delay policies such as JFrog have done, a minimum delay before picking up npm packages for publishing.

@Lorondos tried finding references to this, do you happen to have a link?

[Lorondos]

Artifactories are also implementing package delay policies such as JFrog have done, a minimum delay before picking up npm packages for publishing.

@Lorondos tried finding references to this, do you happen to have a link?

To be more specific on this, more that we have implemented an internal policy on JFrog for this.