Why you keep attacking npm?

DevArt keeps this article discoverable at a fast, self-canonical URL and links clearly to the original DEV publication.

Honestly, it's exhausting to wake up and find out there's yet another attack on the npm ecosystem.

Socket shared via social media that they identified compromised packages — some of them were TanStack.

Why are attackers so obsessed with npm? Seriously, can you stop already?

If you still use npm and haven't disabled post-scripts, you're in serious danger.

Go and disable that right now.

Start using pnpm. Version 11 disables this functionality by default. Of course, some packages still need post-scripts, and in those cases you should manually review and authorize them.

Also, there are tools you can use before installing a package: Socket's sfw and npq.

Hope this helps.