Supply Chain Security Is Getting Worse, Not Better
Two significant security stories landed in the same day. First, a malicious postinstall hook was found across 700 GitHub repos including Node projects, with the HN thread noting that npm still runs postinstall scripts by default without warning. Second, CISA suffered a data leak after a contractor used a repository as a working scratchpad and committed secrets, which is exactly the kind of human error that scales catastrophically when AI-assisted development accelerates commit volume.
Npm's response, staged publishing with install-time controls, got a mixed reception. Some commenters called it a band-aid. The more pointed criticism is that static and dynamic analysis of packages would be more effective than just delaying the attack surface.
The pattern: as more code gets written faster by more people using AI tools, the attack surface for supply chain compromise grows proportionally. The tooling to defend against this has not kept pace. CISA leaking its own secrets via a contractor's git repo is the institutional version of the same problem.
So what?
Audit your postinstall scripts and your dependency tree now, not after an incident. If you are shipping a product that depends on npm packages, staged publishing is a marginal improvement, but you should also be running automated scans on your dependency graph. The threat is real and getting more frequent.