Software Supply Chain
What are the security risks of npm and PyPI packages?
npm and PyPI are the primary package registries for JavaScript and Python, serving millions of developers worldwide. In 2025, over 3,180 confirmed malicious packages were identified across these registries. Attack methods include typosquatting, dependency confusion, and self-propagating malware like the Shai-Hulud worm. A single incident in September 2025 compromised 20 npm packages with 2 billion weekly downloads, demonstrating the systemic risk in open-source package ecosystems.
What Is / Definition
npm (Node Package Manager) and PyPI (Python Package Index) are the two largest open-source package registries, serving as the foundation of modern JavaScript and Python development. npm hosts over 2 million packages. PyPI hosts over 500,000. Together, they underpin the vast majority of web applications, backend services, data pipelines, and AI tooling built today. The security challenge is that these registries operate on an open-publish model. Anyone can publish a package. There is no mandatory security review. While both registries have added measures like two-factor authentication requirements for popular packages, the scale makes comprehensive vetting impossible. In 2025, the threat reached a new intensity. Over 3,180 confirmed malicious packages were identified across npm and PyPI. These packages used a variety of attack techniques — typosquatting (publishing packages with names similar to popular ones), dependency confusion (exploiting how package managers resolve internal vs. public packages), and outright malicious code disguised as legitimate functionality. The September 2025 npm incident demonstrated the systemic nature of the risk. Twenty npm packages with a combined 2 billion weekly downloads were compromised. This was not a niche attack on obscure libraries — it hit widely-used packages that are dependencies of thousands of other projects, affecting developer machines across the industry. The Shai-Hulud worm, also discovered in September 2025, introduced a new attack paradigm: self-propagating malware through npm packages. Unlike traditional malicious packages that wait to be installed, Shai-Hulud could spread through dependency chains automatically, infecting downstream packages without their maintainers' knowledge. For developer workstations, the risk is immediate. When a developer runs `npm install` or `pip install`, the package executes on their machine. Post-install scripts run automatically. Malicious code has access to the local filesystem, environment variables, and network from the moment of installation — long before any CI/CD scanning can intervene.
Why It Matters
Package security matters because every developer machine is directly exposed to these registries, and the gap between installation and detection is where attacks succeed. The typical security posture today focuses on CI/CD pipeline scanning. Tools like Snyk and Dependabot check dependencies when code is committed or built. But this misses the critical window: the hours or days between when a developer installs a package locally and when that code reaches the pipeline. During that window, malicious packages execute freely on the developer's workstation — accessing source code, harvesting credentials from environment variables, and potentially establishing persistence. The September 2025 incident — 20 npm packages, 2 billion weekly downloads compromised — illustrates the blast radius. These were not obscure packages. They were mainstream dependencies used in production applications worldwide. Every developer who ran `npm install` during the compromise window executed the malicious code on their local machine. CI/CD scanning would eventually catch the vulnerability, but the workstation damage was already done. The Shai-Hulud worm raised the stakes further. Self-propagating malware through package dependencies means that a single compromised package can cascade through the ecosystem without any action by downstream maintainers or developers. The traditional model of \"trust but verify at the pipeline\" breaks down when the malware spreads faster than verification can happen. AI coding agents compound the risk. When an agent autonomously installs packages to complete a task, it may pull dependencies the developer never explicitly chose. Package hallucination — where an AI suggests a package name that does not exist, and attackers register that name with malicious code — is a documented attack vector that specifically targets AI-assisted development workflows.
How It Works
Malicious package attacks on npm and PyPI operate through several well-documented mechanisms. Typosquatting. Attackers publish packages with names nearly identical to popular ones — `lodahs` instead of `lodash`, `reqeusts` instead of `requests`. Developers who mistype a package name, or AI agents that hallucinate a slightly incorrect name, install the malicious version instead. The malicious package typically mirrors the legitimate package's functionality while adding hidden malicious behavior. Dependency confusion. Many organizations use internal package registries with private packages. Dependency confusion exploits how package managers resolve names: if a public package exists with the same name as a private one, the package manager may install the public (malicious) version instead. This attack has been used successfully against major technology companies. Post-install scripts. Both npm and PyPI support scripts that execute automatically when a package is installed. Malicious packages use these scripts to run their payload immediately — before the developer has a chance to review the code. On npm, the `postinstall` script runs as part of `npm install`. On PyPI, `setup.py` executes during installation. These scripts can access the filesystem, make network requests, and establish persistence. Supply chain compromise. Rather than creating new malicious packages, attackers compromise existing popular packages by hijacking maintainer accounts, submitting malicious pull requests, or exploiting the maintainer's own dependencies. The September 2025 incident followed this pattern — legitimate, widely-used packages were compromised upstream, affecting billions of downstream installations. Self-propagating malware (Shai-Hulud). The Shai-Hulud worm, discovered in September 2025, injected itself into the publish process of other packages. When an infected developer published any npm package, the worm added itself as a dependency. This created exponential spread through the ecosystem, as each newly infected package became a vector for further propagation. Detection requires monitoring at the point of installation on the developer's machine — not at the CI/CD stage where the damage has already occurred.