How to Defend Against NPM Software Supply Chain Attacks

I recently co-authored a blog post about how to defend against NPM software supply chain attacks like the ongoing Shai-Hulud attack or the recent comprises of popular packages like eslint-prettier, Nx, or chalk and debug. The post covers CI/CD hardening, lockfile best practices, and why --ignore-scripts should probably be your default (or switch to pnpm and get safer defaults).

Read the full article at Endor Labs →