Changelog Interviews Securing npm is table stakes
Jan 29, 2026
Nicholas C. Zakas, longtime JavaScript engineer and creator of ESLint, reflects on recent npm compromises and why current responses fall short. He critiques token policies, explains trusted publishing and anomaly detection, weighs registry funding and operational challenges, and examines why alternatives like JSR or Volt struggle to replace npm.
AI Snips
Chapters
Transcript
Episode notes
Pattern Of Repeated NPM Attacks
- Attacks on npm often follow the same pattern: stolen credentials, malicious publish, and pre/post-install scripts executing payloads.
- Nicholas Zakas warns that repeated small compromises increase risk of a far more damaging future attack.
ESLint Targeted By Suspicious Pull Requests
- ESLint has received mysterious dependency-changing pull requests that felt like penetration tests for popularity-driven targets.
- Zakas recounts a past compromise where reused credentials allowed publishing malicious ESLint packages, prompting stricter publish controls.
Prefer Just-In-Time Tokens, But Verify MFA
- Use OpenID Connect (trusted publishing) to avoid long-lived tokens and rotate credentials automatically where possible.
- But avoid relying solely on trusted publishing because it currently lacks two-factor protections for critical packages.