Supply Chain Attacks — When npm Packages Turn Hostile
Real examples of supply chain attacks, typosquatting, lockfile attacks, and how to protect your dependencies
In January 2022, a developer named Marak Squires intentionally sabotaged two of his own widely-used npm packages — colors and faker. The colors package printed an infinite loop of garbled text. The faker package replaced its entire functionality with a single line: "endgame." Thousands of applications broke overnight. Not because of a bug. Because the maintainer decided to make a point about open-source funding.
This wasn't even a malicious attack in the traditional sense. It was an act of protest by the legitimate maintainer. But it exposed a truth that the JavaScript ecosystem has been dancing around for years: your application is only as secure as the least trustworthy package in your dependency tree.
And that dependency tree is deep. The average Node.js project has over
This lesson is part of the Guild Member curriculum. Plans start at $29/mo.