The Changelog: Software Development, Open Source Securing npm is table stakes (Interview)
23 snips
Jan 29, 2026 Nicholas C. Zakas, seasoned JavaScript engineer and creator/maintainer of ESLint, critiques npm security and shares hard-earned tooling perspective. He discusses mass compromise patterns, maintainer risks, GitHub’s response and trusted publishing limits. He also explores anomaly detection, registry alternatives like JSR and Volt, and funding or stewardship paths forward.
AI Snips
Chapters
Transcript
Episode notes
Repeated Attack Pattern Signals Bigger Threat
- The NPM attacks in 2025 repeatedly used credential theft and malicious pre/post-install scripts to spread quickly.
- Nicholas Zakas warns these frequent low-damage incidents likely foreshadow a more damaging, large-scale attack if nothing changes.
ESLint's Publish Compromise And Response
- ESLint experienced suspicious pull requests and once had a compromised publish via reused credentials.
- That incident led Nicholas to remove individual publish rights and tighten ESLint's publishing process.
Rotate Tokens Or Use Just-in-Time Credentials
- Use fine-grained, short-lived tokens or trusted publishing to avoid long-lived credentials.
- Prefer on-demand OpenID Connect tokens in CI to eliminate stored publish credentials where practical.