Your next npm install could hand hackers your keys. The Axios supply chain attack lasted hours but exposed lockfile myths – and why pnpm 10 isn't just hype.
Imagine the full blueprint of Anthropic's Claude Code agent — 513,000 lines of TypeScript — dumped accidentally on npm for the world to grab. Hackers forked it thousands of times before the fix.
npm installs feel safe. They're not. Hackers hijack packages daily, and your tooling invites them in.
Everyone thought JS frameworks needed npm's vast ecosystem to thrive. Then the axios hijack hit, exposing 300 million downloads to risk—and sparking nulldeps, a zero-dependency alternative that flips the script on web dev.
Hackers turned three obscure NPM packages into a credential-stealing monster that doesn't stop at theft—it bumps versions in your other packages and leaps to PyPI. Developers: check your tokens yesterday.