Another npm attack highlights the need for supply-chain security

Time to rotate those credentials.

By Carly Page

September 18, 2025

Estimated reading time: 3 minutes

A fast-moving worm has compromised more than 180 npm packages – and may mark a turning point for software supply chain security

After years of high-profile package compromises – from event-stream to the recent Nx breach – npm is once again in the spotlight. Over the past week, a self-replicating worm has made its way through the world’s largest JavaScript package repository, compromising at least 180 packages and exposing credentials from maintainers and developers along the way.

Because many of the affected packages sit deep in dependency chains, the attack is likely to have touched thousands of downstream applications and developers – far more than the raw number of packages suggests.

Join LeadDev.com for free to access this content

Create an account to access our free engineering leadership content, free online events and to receive our weekly email newsletter. We will also keep you up to date with LeadDev events.

We have linked your account and just need a few more details to complete your registration:

First name Last name Job title Company Country

Terms and conditions I agree to the LeadDev.com terms and conditions of use

Create a password

About the author

Carly Page

Carly Page is a freelance technology journalist, editor, and copywriter.

Newsletters

Panel discussions

Videos

Reports

For you

New York

Berlin

London

Meetups

Another npm attack highlights the need for supply-chain security

By Carly Page

Join LeadDev.com for free to access this content

About the author

Carly Page

New York

Berlin

London

Meetups

Another npm attack highlights the need for supply-chain security

By Carly Page

Join LeadDev.com for free to access this content

Share:

About the author

Share:

More like this