npm CLI 11.15.0 stages a tarball for maintainer 2FA approval before it hits the registry. Plus --allow-* install controls and how they differ from release-age gates and allowScripts.
postcss, nanoid and browserslist all ship from one npm account: 964M downloads/week, no provenance. Not a breach but a single-publisher risk — what moved to staged releases, and what to check in your lockfile.
Chainguard has blocked 52,000+ npm packages as malware or greyware, scanning 100,000+ a day, catching README-honest credential CLIs that release-age gates and npm v12 miss.
On June 17, 2026 Mastra's @mastra/* packages were re-published with an added easy-day-js dependency whose postinstall runs a RAT at install. Counts: 116 official vs 143–144 external.
npm v12 blocks preinstall/postinstall scripts and implicit node-gyp unless approved. Use npm 11.16.0 approve-scripts, allowScripts, --allow-git, and --allow-remote before CI.
GitHub disabled 73 Microsoft repos after an Azure/durabletask commit. Miasma used Claude Code, Gemini CLI, Cursor, and VS Code config, not npm install.
TrapDoor planted 34 packages across npm, PyPI and Crates.io to steal Solana/Sui/Aptos wallet keys. Each registry fires differently: postinstall, import-time, and Rust build.rs.
The May 19 Mini Shai-Hulud wave compromised 314 npm packages under @antv via the `atool` maintainer account. After rolling back lockfiles, payload entry points stay behind in .claude/settings.json SessionStart hooks, .vscode/tasks.json folderOpen tasks, systemd user services, and .github/workflows/codeql.yml. Concrete IoCs and the gh-token-monitor wipe ordering before rotation.
GitHub is investigating TeamPCP's $50K+ sale of ~4,000 internal repos. Count called 'directionally consistent' by GitHub; file list and the VS Code extension attack vector remain unverified.
May 12: TeamPCP open-sourced the Shai-Hulud worm on GitHub. Datadog mapped its module pipeline (Loader/Provider/Collector/Dispatcher/Sender/Mutator) and Claude Code SessionStart hook for persistence. May 15: BreachForums opened a paid attack challenge. Detection notes for the copycat wave.
Malicious node-ipc 9.1.6/9.2.3/12.0.1 fire on require(), not postinstall. 12.0.1 is SHA-256 gated (targeted), so a working app isn't safe. Exfils dev/CI secrets via DNS TXT.
Google extended Binary Transparency to its Android apps and Mainline modules starting May 2026. How the public log and verification tools differ from code signing, what's actually covered, and what the ADB-based verification workflow looks like for researchers.