mars/kerolox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases Activity

Add more npm supply chain attack examples

Browse Source
This commit is contained in:
Marceline Cramer
2026-05-17 17:10:49 -06:00
parent fd08b610de
commit dc32d8e8ba
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
site/content/contribute/security.md
View File

@@ -9,12 +9,20 @@ TODO
Unfortunately for everybody, JavaScript is the language of the web. Kerolox does its best to be free of dependencies on web technology, but occasionally, some JavaScript-based tooling is necessary. We encourage _secure_ use of npm whenever possible and avoid npm whenever security cannot be guaranteed.
[npm](https://www.npmjs.com/) and its package repository are the main tools for creating web-compatible JavaScript. It's also infamously vulnerable[^mini-shai-hulud][^tanstack] to [supply chain attacks](https://en.wikipedia.org/wiki/Supply_chain_attack). Because npm is configured to run arbitrary scripts while installing packages, this means that anybody installing dependencies from the npm package registry is at risk.
[npm](https://www.npmjs.com/) and its package repository are the main tools for creating web-compatible JavaScript. It's also infamously vulnerable[^mini-shai-hulud][^tanstack][^satire][^colors-faker][^node-ipc][^event-stream] to [supply chain attacks](https://en.wikipedia.org/wiki/Supply_chain_attack). Because npm is configured to run arbitrary scripts while installing packages, this means that anybody installing dependencies from the npm package registry is at risk.
[^mini-shai-hulud]: [Mini Shai-Hulud attack](https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised)
[^tanstack]: [Tanstack supply chain attack](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
[^satire]: [A satire of npm security by Andrew Nesbitt](https://nesbitt.io/2026/02/03/incident-report-cve-2024-yikes.html)
[^colors-faker]: [Supply chain self-sabotage on `colors` and `faker`](https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/)
[^node-ipc]: [Supply chain self-sabotage on `node-ipc`](https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/)
[^event-stream]: [Supply chain attack on `event-stream`](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident)
- TODO: describe npm workarounds
- TODO: CVE reporting policy
- TODO: dependency updating strategy