📰 supply-chain

Our plan for a more secure npm supply chain

Addressing a surge in package registry attacks, GitHub is strengthening npm’s security with stricter authentication, granular tokens, and enhanced trusted publishing to restore trust in the open source ecosystem.

weeklyfoo #104 / 2025-09-29

Open

securitynpmsupply-chain

Popular Tinycolor npm Package Compromised in Supply Chain Attack Affecting 40+ Packages

Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers

weeklyfoo #103 / 2025-09-22

Open

supply-chainsecurity