The State of npm in 2026: Security Crisis and Ecosystem Response

The npm ecosystem faces its most turbulent period ever. Three major supply chain attacks in seven months - including the Axios compromise attributed to North Korea - have forced GitHub to overhaul npm security. This report analyzes the threats, the response, and what comes next for the world's largest package registry.

BYNULLSEC.NEWS DESK·2026-04-14T13:33Z·13 MIN READ

The State of npm in 2026: Security Crisis and Ecosystem Response

Key Takeaways: The State of npm in 2026

Three major npm supply chain attacks in seven months (September 2025 - March 2026) have fundamentally altered the ecosystem's security posture.
The Axios compromise on March 31, 2026, attributed to North Korean state actor Sapphire Sleet, affected a package with over 100 million weekly downloads and deployed a cross-platform RAT.
The Shai-Hulud worm became the first self-replicating malware in npm history, compromising over 1,200 packages across two waves.
GitHub permanently revoked all classic npm tokens on December 9, 2025, mandating granular tokens and expanding trusted publishing via OIDC.
Over 99% of all open-source malware now targets npm, according to Sonatype's 2026 report, with 454,600+ malicious packages identified in 2025 alone.
The npm registry has grown to over 3.2 million packages processing approximately 2.1 billion downloads per week.
The EU Cyber Resilience Act reporting requirements take effect in September 2026, bringing regulatory pressure to open-source software supply chains.
The open-source software security market reached $5.50 billion in 2025 and is forecast to reach $10.23 billion by 2030.

npm Market Overview: Scale, Growth, and Dominance

The npm registry remains the world's largest software package registry by a wide margin. As of April 2026, the npm registry hosts over 3.2 million packages and processes approximately 2.1 billion downloads per week. ^{1North Korea Axios npm Attack: 100M Downloads Hit (2026) — npm registry statistics} This represents roughly a 28% increase in total packages from the 2.5 million recorded in early 2024, underlining the continued expansion of the JavaScript and TypeScript ecosystem.

Across all open-source registries - npm, PyPI, Maven Central, NuGet, and Hugging Face - 9.8 trillion package downloads were processed in 2025, with npm the largest single contributor. ^{2npm Security Risks 2026: Vulnerable Packages & Fixes — citing Sonatype download statistics} The registry underpins virtually every modern web application, mobile backend, and increasingly, AI/ML tooling built in JavaScript or TypeScript.

The npm ecosystem's sheer scale is both its greatest strength and its most critical vulnerability. Every major web framework (React, Vue, Angular, Svelte), every backend Node.js application, and a growing number of AI integration libraries depend on npm. This centrality has made it the primary target for malicious actors: over 99% of all open-source malware now targets npm, according to Sonatype's 2026 State of the Software Supply Chain report. ^{3Sonatype 2026 State of the Software Supply Chain Report}

The Security Investment Boom

The scale of recent attacks has driven significant investment into supply chain security tooling. The open-source software security market reached $5.50 billion in 2025 and is forecast to hit $10.23 billion by 2030, a CAGR of 13.20%. ^{4Open-Source Software Security Market Size & Share Analysis — Mordor Intelligence} The broader software supply chain security market is growing even faster: valued at $5.83 billion in 2025, it is projected to reach $13 billion by 2030, growing at a 17% CAGR. ^{5Software Supply Chain Security Market Size, Overview, Trends}

Key players in the npm security space include Socket (which raised $40 million in a Series B round ^{6Socket secures $40M to combat next-generation software supply chain attacks} and has reached $4.2 million in annual revenue with a 38-person team ^{7How socket.dev hit $4.2M revenue with a 38 person team in 2025}), Snyk, Sonatype, and ReversingLabs. These companies are competing to become the default security layer between npm and production environments, offering everything from behavioral analysis and provenance verification to automated malware detection.

Major npm Developments in 2025-2026

The past seven months represent the most consequential period in npm's 14-year history. Three distinct, high-impact supply chain compromises - each exploiting stolen maintainer credentials - have reshaped how the ecosystem thinks about trust.

The Shai-Hulud Worm: Wave 1 (September 2025)

On September 15, 2025, a self-replicating worm dubbed "Shai-Hulud" began spreading through the npm ecosystem - the first automated propagation campaign in npm registry history. ^{8Shai-Hulud Worm: Supply Chain Threat — Cyber Executive Summary} Named after the colossal sandworms from Frank Herbert's Dune, the worm lived up to its name.

The attack began with the compromise of the @ctrl/tinycolor package. From there, the worm's postinstall script harvested AWS, GCP, and Azure credentials using TruffleHog, established persistence through GitHub Actions backdoors, and - critically - used stolen npm tokens to automatically publish malicious versions of other packages maintained by the same developer. CISA confirmed that Shai-Hulud compromised over 500 npm packages. ^{9CISA Alert: Widespread Supply Chain Compromise Impacting npm Ecosystem}

The worm emerged days after a phishing campaign that spoofed npm and targeted developers' multi-factor authentication credentials, suggesting a coordinated operation. ^{10Self-Replicating Worm Hits 180+ Software Packages — Dark Reading}

Shai-Hulud 2.0 (November 2025)

Despite GitHub's initial remediation efforts, a second wave - Shai-Hulud 2.0 - struck between November 21 and 24, 2025, compromising 796 unique npm packages. ^{11The Shai-Hulud 2.0 npm worm: analysis, and what you need to know — Socket} This time, high-profile publishers were affected: packages from Zapier, ENS Domains, PostHog, and Postman were temporarily trojanized.

The scale was staggering. According to Wiz, some of the compromised packages occurred in roughly 27% of cloud and code environments they scanned. ^{12Shai-Hulud 2.0: Ongoing Supply Chain Attack — Wiz Blog} At peak propagation, 1,000 new infections were being added every 30 minutes, affecting over 25,000 repositories. ^{13Shai-Hulud Worm Returns: 300+ NPM Packages Compromised — propagation statistics}

PostHog published a detailed post-mortem confirming that several of its SDKs were compromised at 4:11 AM UTC on November 24, with malicious preinstall scripts exfiltrating tokens and secrets. ^{14Post-mortem of Shai-Hulud attack on November 24th, 2025 — PostHog}

The Axios Compromise (March 2026)

The most impactful attack came on March 31, 2026, when a threat actor hijacked the npm credentials of the lead Axios maintainer. Axios, a promise-based HTTP client library with over 100 million weekly downloads and 400 million monthly downloads, is a transitive dependency in millions of JavaScript projects worldwide. ^{15The Axios npm Supply Chain Attack: A Complete Breakdown}

The attacker published two poisoned versions - axios@1.14.1 and axios@0.30.4 - that introduced a hidden dependency called plain-crypto-js@4.2.1, published just minutes before the hijack. This dependency executed a cross-platform dropper that installed a Remote Access Trojan (RAT). ^{16Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client}

Microsoft Threat Intelligence attributed the attack to the North Korean state actor Sapphire Sleet (tracked by Google as UNC1069), with the deployed malware formally identified as WAVESHAPER.V2. ^{17Mitigating the Axios npm supply chain compromise — Microsoft Security Blog} The malicious versions remained available for approximately three hours before automated scanners from Socket and StepSecurity flagged them and npm administration removed them. ^{18Axios npm Supply Chain Attack: Detection & Remediation Guide — StepSecurity and Socket attribution}

The attack began with social engineering. Jason Saayman, the lead Axios maintainer, disclosed that the threat actor had contacted him two weeks prior on Slack, masquerading as a founder of a known company. ^{19Axios npm supply chain attack started on Slack — Cybernews}

SANDWORM_MODE: AI-Targeted Typosquatting (February 2026)

In a separate but related trend, researchers identified 19 malicious npm packages in mid-February 2026 that impersonated popular developer utilities and AI coding tools. ^{20Typosquatting campaign targets npm, CI pipelines, and AI-driven development — February 2026} Dubbed "SANDWORM_MODE," the campaign used typosquatting to trick developers into executing packages that harvested cryptocurrency keys, CI secrets, and - notably - AI API tokens via MCP (Model Context Protocol) injection. ^{21SANDWORM_MODE: npm supply-chain worm poisons CI workflows and AI coding tools}

This attack highlighted a new frontier: as AI-assisted development tools gain popularity, attackers are specifically targeting the npm packages developers use to interface with large language models.

npm Technology and Innovation Trends in 2026

GitHub's Security Overhaul

The cascade of attacks triggered the most significant security changes in npm's history. GitHub announced and implemented a phased security roadmap:

Mandatory two-factor authentication (2FA) for all local publishing, with a shift from time-based one-time passwords to more secure FIDO/WebAuthn-based systems. ^{22GitHub tightens npm security with mandatory 2FA, access tokens}
Classic token revocation: On December 9, 2025, GitHub permanently revoked all npm classic tokens and replaced long-lived publishing tokens with short-lived session tokens (2-hour expiry for local publishing, 7-day expiry for granular automation tokens). ^{23npm classic tokens revoked — urgent migration checklist for full-stack teams (December 9, 2025)} CLI support for managing granular access tokens was bundled with this release.
Trusted publishing via OIDC: npm trusted publishing with OpenID Connect (OIDC) reached general availability in July 2025, allowing packages to be published directly from CI/CD workflows using short-lived, cryptographically signed credentials without any long-lived npm tokens. ^{24npm Trusted Publishing with OIDC is generally available — GitHub Blog} The system automatically generates provenance attestations for every package published through trusted publishing.

The Provenance Gap

Despite these advances, adoption remains troublingly incomplete. An independent audit of the 50 most-downloaded npm packages (week of April 6-12, 2026) found that almost none of the top 50 npm packages by weekly downloads ship with SLSA provenance attestations. ^{25I audited the top 50 npm packages. Almost none ship with supply-chain provenance (April 2026)} This is particularly concerning given that these packages collectively represent billions of weekly downloads.

npm's provenance system, based on Sigstore, was introduced in May 2023 and reached general availability in October 2023. With the npm CLI v11.5.1+ and trusted publishing, provenance attestation is now attached by default unless explicitly opted out. ^{26The 2026 State of Package Registry Provenance: Who Is Signing What? — Zenn} Yet the gap between what is available and what is actually deployed remains vast - many of the ecosystem's most critical packages are still published locally by individual maintainers without provenance.

The Rise of Alternative Registries

npm is no longer the only game in town. JSR (JavaScript Registry), developed by the Deno team, offers a TypeScript-first, ESM-only alternative with built-in provenance tracking and cross-runtime compatibility. ^{27JSR vs npm: JavaScript Package Registries in 2026} While JSR's adoption is still nascent compared to npm's 3.2 million packages, its security-by-design approach - including mandatory provenance and stronger version immutability - has attracted enterprise interest.

On the package manager front, pnpm, Yarn Berry, and Bun's integrated package manager are competing aggressively on speed, disk efficiency, and security features. Deno 2.0 now offers full Node.js/npm compatibility, while Bun 1.2 has doubled down on its all-in-one runtime and package manager story. ^{28Deno 2.0 vs Node.js 22 vs Bun 1.2: The JavaScript Runtime Wars in 2026} None of these alternatives threatens npm's registry dominance in the near term, but they are pushing the ecosystem toward better security defaults.

Regulatory and Policy Landscape

EU Cyber Resilience Act

The most significant regulatory development affecting npm is the EU Cyber Resilience Act (CRA), Regulation (EU) 2024/2847. CRA reporting requirements become applicable on September 11, 2026, with full application of all obligations from December 11, 2027. ^{29EU Cyber Resilience Act: Key 2026 milestones toward CRA compliance}

The CRA establishes mandatory cybersecurity requirements for "products with digital elements" placed on the EU market - a category that encompasses commercial software built using open-source npm dependencies. Manufacturers will be required to:

Implement security-by-design throughout the product lifecycle
Provide Software Bills of Materials (SBOMs)
Report actively exploited vulnerabilities within 24 hours
Provide security updates for the product's expected lifetime

The CRA explicitly recognizes the unique role of free and open-source software. Open source developed outside a commercial context is generally exempt, but commercial entities integrating open-source packages are responsible for the security of their products. ^{30The Cyber Resilience Act: Implications for open source and digital products} For organizations that depend on npm packages - which is essentially every company with a web presence - this means new compliance obligations around dependency management and vulnerability tracking.

U.S. Response: CISA and Federal Guidance

In the United States, CISA's response to the Shai-Hulud worm included a formal alert urging all organizations to rotate credentials, audit npm dependencies, and adopt trusted publishing workflows. ^{9CISA Alert: Widespread Supply Chain Compromise Impacting npm Ecosystem} The incident reinforced CISA's push for SBOM adoption and secure software development practices under the broader framework of Executive Order 14028 on Improving the Nation's Cybersecurity.

Challenges and Risks Facing the npm Ecosystem

The Maintainer Problem

Every major npm attack in this period exploited the same root cause: compromised maintainer credentials. Whether through phishing (Shai-Hulud), social engineering (Axios), or token theft (Shai-Hulud 2.0), the attacks targeted the humans behind the packages, not the packages themselves.

This reveals a structural problem. Many of npm's most critical packages are maintained by single individuals or small, unpaid teams. The Axios library, depended upon by millions of applications, had its security hinge on one maintainer's npm credentials. No amount of provenance tooling addresses the fundamental fragility of a system where a single compromised account can inject malware into 100 million weekly downloads within minutes.

Malware at Industrial Scale

The numbers paint a sobering picture. ReversingLabs' 2026 report identified a 73% increase in malicious open-source packages from 2024 to 2025. ^{31ReversingLabs 2026 Software Supply Chain Security Report Identifies 73% Increase in Malicious Open-Source Packages} Sonatype's data is even more granular: 454,600 new malicious packages were identified in 2025 alone, bringing the cumulative total of known malware to over 1.233 million packages across all major registries. ^{3Sonatype 2026 State of the Software Supply Chain Report} The Sonatype report characterized the evolution as a shift "from spam and stunts into sustained, industrialized campaigns."

Repository abuse - including spam, squatting, and typosquatting - accounts for 55.9% of all logged malicious packages. ^{3Sonatype 2026 State of the Software Supply Chain Report} But the remaining 44% represents more sophisticated attacks: dependency confusion, account takeover, and worm-like propagation that can compromise entire supply chains in minutes.

Nation-State Involvement

The attribution of the Axios attack to North Korea's Sapphire Sleet represents a significant escalation. This is not an isolated incident - North Korean state-sponsored groups have systematically targeted the npm ecosystem as part of revenue-generation campaigns. The Axios attack is documented as a financially motivated operation by the threat cluster tracked as UNC1069 by Google. ^{32Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069}

The involvement of state actors raises the stakes for npm security from a developer convenience concern to a national security issue. Organizations that build software using npm dependencies are now directly in the crosshairs of nation-state cyber operations.

The Detection Gap

While automated scanners flagged the Axios malware within minutes, the three-hour window of exposure was enough to potentially compromise any CI/CD pipeline or developer machine that ran npm install during that period. Combined, the affected Axios packages had over 2.6 billion weekly downloads. ^{33What We Learned: Axios NPM Supply Chain Compromise Emergency Briefing — 2.6B weekly downloads figure} Detection speed is improving, but response time - the interval between detection and full remediation - remains a critical vulnerability.

npm Outlook for 2027

The trajectory for npm in 2027 will be shaped by several converging forces:

Security hardening will accelerate. GitHub's security roadmap - mandatory 2FA, short-lived tokens, and trusted publishing - represents the minimum viable response. Expect further restrictions, including potential mandatory provenance attestation for all published packages (not just those using trusted publishing) and stricter account verification requirements for high-impact packages.

Regulatory compliance will drive adoption of SBOMs and dependency tracking. With CRA reporting obligations beginning in September 2026 and full compliance required by December 2027, European organizations will need comprehensive visibility into their npm dependency trees. This will benefit commercial tools from Socket, Snyk, Sonatype, and others, and may push npm itself to provide richer native audit capabilities.

AI-related packages will become a primary attack surface. The SANDWORM_MODE campaign targeting AI developer tools is a preview of what is coming. As AI-assisted coding (via tools like GitHub Copilot, Claude Code, and Cursor) drives more developers to install npm packages recommended by AI agents, the attack surface for typosquatting and dependency confusion will expand. Expect attackers to target MCP servers, LLM SDK packages, and AI agent frameworks with increasing sophistication.

Alternative registries and runtimes will grow but not replace npm. JSR, Deno, and Bun will continue to chip away at npm's edges, particularly among TypeScript-first projects and security-conscious enterprises. However, npm's network effects - 3.2 million packages and decades of accumulated tooling - make displacement unlikely within the forecast period.

The maintainer sustainability crisis will become a board-level concern. The Axios incident demonstrated that the security of multi-billion-dollar enterprises depends on the operational security of unpaid open-source maintainers. Expect increased corporate funding for maintainer security programs (hardware security keys, security training, backup maintainers) and potentially new models like "verified maintainer" tiers within npm.

The state of npm in 2026 is paradoxical: it is simultaneously the most indispensable and the most attacked software infrastructure on the planet. The attacks of the past seven months have been a forcing function for long-overdue security improvements. Whether those improvements arrive fast enough to outpace the industrialization of supply chain attacks will define the ecosystem's next chapter.

Bild: CHUTTERSNAP / Unsplash