The JavaScript ecosystem spent much of 2025 responding to a sustained run of supply chain attacks, but it was the multi-wave Shai-Hulud campaign that ultimately reset expectations for what large-scale, automated compromise looks like. By the end of the year, organizations with JavaScript-heavy infrastructure were no longer treating supply chain malware as an edge case, but as an operational risk that could spread faster than human review.Now, npm says it is preparing its next major response: staged publishing, a new release model designed to introduce deliberate friction into package publication, alongside expanded work on trusted publishing and identity-based workflows. The announcement follows a rocky migration away from classic npm tokens, a transition that tightened security controls but also exposed how fragile and inconsistent many real-world publishing setups still are.How npm Is Responding After Shai-Hulud#Shai-Hulud was one of several supply chain campaigns in 2025 that illustrated how quickly attackers adapt to maintainer workflows. Across incidents, compromised credentials and malicious lifecycle scripts combined with CI automation to scale impact beyond individual packages.In response, npm says it is working toward staged publishing, a model that introduces a review window before a package release becomes publicly available. Under the proposal, publishes would require explicit, MFA-verified approval from package owners during that staging period, giving maintainers a chance to catch unintended or malicious changes before they propagate downstream.Staged publishing introduces a registry-level review step before packages become publicly available, adding an explicit checkpoint to a publication process that has historically been optimized for speed and automation.Alongside staged publishing, npm says it is accelerating work on bulk onboarding for OIDC-based trusted publishing and expanding support for additional CI providers beyond GitHub Actions and GitLab...
First seen: 2026-01-07 19:44
Last seen: 2026-01-08 16:48