Recent incidents involving TanStack, Axios, and many other popular packages have made one thing painfully clear: blindly running npm install is no longer safe. Supply chain attacks have become industrialized, and every developer must treat dependencies as a potential attack vector.
This article walks you through practical, battle-tested strategies to secure your projects using modern tools and habits.
Why npm Supply Chain Attacks Are Rising
Attackers are increasingly targeting the npm ecosystem because of its massive reach. A single compromised popular package can affect millions of developers and thousands of companies within hours.
Common attack techniques include:
- Malicious postinstall or prepare scripts
- OIDC token theft via GitHub Actions cache poisoning
- Maintainer account takeovers
- Phantom dependencies pointing to malicious Git commits
- Self-propagating worms
Core Philosophy: Never Trust by Default
The golden rule in 2026 is:
> Assume every new package is malicious until proven otherwise.
This mindset shift is the foundation of modern JavaScript security.
1. Use pnpm — The Security-First Package Manager
pnpm is currently the safest and fastest package manager for Node.js.
Key Security Advantages:
- Strict store isolation
- Built-in build script allowlisting
- Better support for ignore-scripts
Setup Commands:
Make Build Scripts Safe
Create pnpm-workspace.yaml in your project root:
2. LavaMoat — Granular Script Control
LavaMoat allows you to block all lifecycle scripts by default and explicitly allow only trusted ones.
Setup (Manual — more reliable)
Add this to your package.json:
Daily Workflow:
3. Socket.dev — The Best Package Scanner
Socket.dev goes far beyond npm audit. It detects malicious behavior, risky scripts, and supply chain red flags.
Install & Use:
Pro Tip: Use socket npm install instead of regular install commands.
4. Essential Security Habits
Project Configuration (.npmrc)
Always Commit Lockfiles
Never delete pnpm-lock.yaml or package-lock.json from git.
Pin Critical Dependencies
Review Scripts Before Allowing
Always check for suspicious entries:
- postinstall
- prepare
- preinstall
- Obfuscated code
Real-World Attack Examples (2026)
- TanStack Attack: Used GitHub Actions cache poisoning + OIDC token extraction
- Axios Attack: Maintainer account compromise leading to malicious versions
- Self-propagating malware that steals cloud credentials and spreads to other packages
Complete Safe Installation Workflow
Final Security Checklist
- [ ] Using pnpm as primary package manager
- [ ] LavaMoat configured with strict allowlist
- [ ] Socket.dev integrated in workflow
- [ ] ignore-scripts=true enabled
- [ ] Lockfile committed to git
- [ ] Critical dependencies pinned
- [ ] Regular security scans in CI
Conclusion
The days of casually running npm install and hoping for the best are over. Modern JavaScript development requires a security-first mindset and the right tooling.
By combining pnpm + LavaMoat + Socket.dev, you get industry-leading protection with acceptable developer experience.
Start small. Secure one project today. The attackers are getting more sophisticated — your defenses should too.
Further Reading & Tools
- pnpm Security Best Practices
- TanStack npm Supply Chain Postmortem
Stay safe, review everything, and never stop learning.