npm CLI 11.15.0 stages a tarball for maintainer 2FA approval before it hits the registry. Plus --allow-* install controls and how they differ from release-age gates and allowScripts.
Ghost 3.24.0–6.19.0 Content API SQLi leaked Admin API keys and injected ClickFix loaders into posts. Patch to 6.19.1+, rotate keys, and grep post bodies.
postcss, nanoid and browserslist all ship from one npm account: 964M downloads/week, no provenance. Not a breach but a single-publisher risk — what moved to staged releases, and what to check in your lockfile.
Actively exploited unauth RCE (CVSS 10.0) in Joomla JCE ≤2.9.99.4 via profile import, now in CISA KEV. Patch to 2.9.99.7, then hunt rogue profiles and webshells.
google-cloud-aiplatform 1.139.0/1.140.0 had a predictable Model.upload staging bucket: pre-create that GCS bucket and you get model-swap RCE with no victim creds. Fixed in 1.148.0.
Chainguard has blocked 52,000+ npm packages as malware or greyware, scanning 100,000+ a day, catching README-honest credential CLIs that release-age gates and npm v12 miss.
On June 17, 2026 Mastra's @mastra/* packages were re-published with an added easy-day-js dependency whose postinstall runs a RAT at install. Counts: 116 official vs 143–144 external.
npm v12 blocks preinstall/postinstall scripts and implicit node-gyp unless approved. Use npm 11.16.0 approve-scripts, allowScripts, --allow-git, and --allow-remote before CI.
GitHub disabled 73 Microsoft repos after an Azure/durabletask commit. Miasma used Claude Code, Gemini CLI, Cursor, and VS Code config, not npm install.
Vitest's UI/api WebSocket skips Origin checks (CSWSH), so a malicious page can call saveTestFile and rerun to run code on your dev machine. Fixed in 1.6.1 / 2.1.9 / 3.0.5.