From dc32d8e8ba8ccbedc1c0825a0d0767a14a08d1db Mon Sep 17 00:00:00 2001
From: Marceline Cramer <cramermarceline@gmail.com>
Date: Sun, 17 May 2026 17:10:49 -0600
Subject: [PATCH] Add more npm supply chain attack examples

---
 site/content/contribute/security.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/site/content/contribute/security.md b/site/content/contribute/security.md
index 22ddbbd..0b9144c 100644
--- a/site/content/contribute/security.md
+++ b/site/content/contribute/security.md
@@ -9,12 +9,20 @@ TODO
 
 Unfortunately for everybody, JavaScript is the language of the web. Kerolox does its best to be free of dependencies on web technology, but occasionally, some JavaScript-based tooling is necessary. We encourage _secure_ use of npm whenever possible and avoid npm whenever security cannot be guaranteed.
 
-[npm](https://www.npmjs.com/) and its package repository are the main tools for creating web-compatible JavaScript. It's also infamously vulnerable[^mini-shai-hulud][^tanstack] to [supply chain attacks](https://en.wikipedia.org/wiki/Supply_chain_attack). Because npm is configured to run arbitrary scripts while installing packages, this means that anybody installing dependencies from the npm package registry is at risk.
+[npm](https://www.npmjs.com/) and its package repository are the main tools for creating web-compatible JavaScript. It's also infamously vulnerable[^mini-shai-hulud][^tanstack][^satire][^colors-faker][^node-ipc][^event-stream] to [supply chain attacks](https://en.wikipedia.org/wiki/Supply_chain_attack). Because npm is configured to run arbitrary scripts while installing packages, this means that anybody installing dependencies from the npm package registry is at risk.
 
 [^mini-shai-hulud]: [Mini Shai-Hulud attack](https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised)
 
 [^tanstack]: [Tanstack supply chain attack](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
 
+[^satire]: [A satire of npm security by Andrew Nesbitt](https://nesbitt.io/2026/02/03/incident-report-cve-2024-yikes.html)
+
+[^colors-faker]: [Supply chain self-sabotage on `colors` and `faker`](https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/)
+
+[^node-ipc]: [Supply chain self-sabotage on `node-ipc`](https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/)
+
+[^event-stream]: [Supply chain attack on `event-stream`](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident)
+
 - TODO: describe npm workarounds
 - TODO: CVE reporting policy
 - TODO: dependency updating strategy