Blog
Attack post-mortems, technical explainers, and product notes across every major package manager. Named attacks, specific dates, no filler.
Latest
Technical explainer
Gradle evaluates your build script and every applied plugin as code at configuration time, and it resolves from two registries — Maven Central for dependencies and the Gradle Plugin Portal for plugins. Why securing gradle build needs dual-origin gating.
Technical explainer
Maven’s defining supply-chain weakness is that, by default, there is no lockfile — version ranges and SNAPSHOTs resolve to whatever the repository serves. How verification-metadata, settings.xml mirrors, and an additive gate close the gap.
Technical explainer
NuGet has its own install-time execution (legacy install.ps1 and modern .targets/.props MSBuild injection), a real dependency-confusion history, and packages.lock.json for integrity. How the V3 protocol makes gating dotnet restore practical.
Technical explainer
gem install runs arbitrary code through native extensions (extconf.rb) — an install-time vector older than npm’s postinstall. What Gemfile.lock’s newer CHECKSUMS section adds, and how a single-host mirror gates bundle install.
Technical explainer
Rust is memory-safe, not supply-chain-safe. build.rs and proc-macros execute arbitrary code during cargo build, crates.io is a two-host registry, and Cargo.lock pins integrity but not trust. How dual-origin gating intercepts the .crate.
Technical explainer
Go has no postinstall scripts and a public checksum database — but go.sum proves integrity, not safety. How GOPROXY, the sumdb, and an install-time gate cover the gaps a typosquat or compromised maintainer leaves open.
Technical explainer
npm audit checks against known CVE databases and misses every zero-day supply chain attack. Here's exactly what npm audit does, its false positive problem, and how to use it correctly.
Technical explainer
Vibe coding ships fast because you stop reading the package list. That’s fine — until your AI coding assistant hallucinates a package name an attacker already registered, or a postinstall script scrapes your SSH keys. Here’s the threat model for AI-assisted devs and the one-line fix.
Attack post-mortem
January 2022: the original maintainer of colors and faker shipped sabotaged versions to npm. Same publisher, no postinstall, no exfil — just an infinite loop in the main module. Three Veln signals fire on replay; the cooling window and file-tree drift do the work. Verdict: BLOCK.
Technical explainer
GitHub Actions workflows are a prime target for supply chain attacks. Here's how to secure your npm and Python installs, pin action versions, and use Veln in CI.
Technical explainer
AI coding assistants occasionally invent package names that sound plausible but don’t exist. Attackers register the popular hallucinations within hours. Here’s the threat shape and how to defend against an attack class that didn’t exist three years ago.
Attack post-mortem
node-ipc@10.1.1 in March 2022 deleted files on machines geolocated to Russia or Belarus. The payload was IP-gated — the exact pattern our env-gated-risky-execution signal exists to catch. Five signals fire on replay; the LOL signal anchors the verdict at BLOCK.
Attack post-mortem
In January 2022, the developer of colors.js and faker.js deliberately shipped broken, infinite-loop versions of both packages. Here's what happened and what it means for supply chain trust.
Technical explainer
Your laptop has 23 abandoned side projects. Each has a node_modules from last year. The risk isn’t the package you install today — it’s the malicious code that’s been sitting on your disk since last summer, two AI tools and three editors ago.
Attack post-mortem
October 2021: a compromised npm publisher account pushed malicious versions of ua-parser-js to three different majors in five hours. Maintainer fingerprint does NOT change (the account was compromised, not handed off). Six other signals do. Verdict: BLOCK on all three coords.
Technical explainer
Your CI pipeline installed a malicious npm or Python package. Here's the exact incident response process: what to investigate, what to rotate, and how to prevent recurrence.
Technical explainer
AI coding tools in agent / auto-commit modes can run npm install autonomously. The trust delegation chain has a new link in it. Here’s what changes when the AI is the one typing the install command, and where to put the check.
Technical explainer
uv, pip, and poetry have different security properties. Here's a comparison of lockfile security, hash verification, and supply chain protections for each Python package manager.
Security research
When LLMs hallucinate plausible-sounding package names, attackers register those names and publish stubs with malicious payloads. The inverse of typosquatting — the model produced the name, not the developer.
Technical explainer
Your laptop has your personal stuff. Your CI has your production keys. The same malicious npm package, run in the same workflow, has very different consequences on each. Here’s why CI is the higher-value target — and the smaller checklist to harden it.
Attack post-mortem
We replayed the November 2018 event-stream compromise against the current Veln agent. Five trust signals fire, the score lands at 0.18, the gate returns 403. Here is the signal-by-signal breakdown of what catches it — and the two signals that do not.
Attack post-mortem
In March 2022, the node-ipc npm package was modified to delete files on computers in Russia and Belarus. Here's what happened, why it was unprecedented, and what it means for supply chain trust.
Technical explainer
Before you accept your AI assistant’s npm install suggestion, five things you can check in under a minute. Most catch the common slopsquats. The rest is what tooling automates.
Technical explainer
npm now supports build provenance via Sigstore. Here's what it is, how it works, what attacks it prevents, and where it leaves gaps that Veln fills.
Technical explainer
Modern npm/PyPI malware doesn’t drop ransomware. It harvests developer credentials. Here are the exact files attackers target on a vibe coder’s laptop and the patterns that appear in every recent incident.
Product update
Veln’s cooling gate ships with two defaults: minimum 2 hours since publication and minimum 10 community observations. Here is why those numbers, when to tune them, and how approval paths interact with the gate.
Technical explainer
If you publish npm packages, here's how to protect your account, secure your CI publishing pipeline, avoid patterns that trigger security scanners, and use npm provenance.
Technical explainer
pip installs run arbitrary Python at install time. Wheels can ship native code that runs the moment they’re unpacked. uv is faster but doesn’t change the trust model. Here’s what you’re actually running when you pip install.
Technical explainer
A deep dive into securing Python package installs in Docker: multi-stage builds, non-root users, read-only filesystems, Buildkit secrets, and Veln in CI.
Technical explainer
ML and AI projects are uniquely exposed to supply chain attacks: large dependency trees, frequent new packages, cloud credentials, and model weights. Here's how to protect them.
Technical explainer
Your AI assistant suggests left-pad@latest. Latest was published yesterday by an account that wasn’t the maintainer last week. AI assistants have no concept of maintainer churn. Here’s why that’s the failure mode behind every hijack of the last five years.
Attack post-mortem
SolarWinds is the most famous supply chain attack. Here's what actually happened, how it compares to npm and PyPI attacks, and what lessons apply to package manager security.
Technical explainer
Python virtual environments isolate packages between projects but don't protect against malicious packages. Here's what venv actually does for security and what additional steps are needed.
Technical explainer
npm scopes (@company/package) are your first line of defense against dependency confusion attacks. Here's how to configure them correctly and what can still go wrong.
Attack post-mortem
Self-replicating npm worms scrape publish tokens from infected developer machines and use them to publish malicious versions of every package those tokens can reach. Here is the propagation pattern, why it scales, and what reduces the blast radius.
Technical explainer
The advice to use the latest version comes from a different era. In an era of supply-chain attacks, the newest release is the one with the least vetting time. Here’s how to think about version selection for AI-assisted projects.
Technical explainer
A review of the current state of npm and PyPI security in 2026: what's improved, what remains broken, the most common attack patterns, and where the gaps still are.
Attack post-mortem
In November 2024, aiocpa — a Python library for the CryptoPay API — had a malicious update published that exfiltrated seed phrases and private keys. Here's the full breakdown.
Technical explainer
AWS credentials are the most commonly targeted secret in npm and PyPI supply chain attacks. Here's the specific patterns attackers use, why AWS is targeted, and how to protect your credentials.
Technical explainer
Your CI passes, your tests pass, but every time you wipe and reinstall, you re-pull the entire dependency tree from the live registry. If anything was hijacked between last install and this one, this is where you catch it — or don’t.
Technical explainer
Abandoned and under-maintained npm and PyPI packages are a primary supply chain attack vector. Here's why maintainer burnout creates security risk and what developers can do about it.
Technical explainer
Private npm and PyPI registries (Artifactory, Nexus, Verdaccio) introduce unique security risks. Here's how to configure them securely and what Veln adds.
Technical explainer
npm automation tokens with full account access are the norm. Here's how to use granular npm access tokens, scope them to specific packages, and limit the blast radius if a token is stolen.
Technical explainer
You have a 12-person team, a CI bill, and a security budget that has to fight for line items. Here is the ROI math, the alternatives compared, and the specific failure modes that would otherwise show up on your post-mortem.
Technical explainer
CI caches for npm and Python can persist malicious packages across builds and across time. Here's which caching strategies are safe, which are risky, and how to configure them correctly.
Technical explainer
A practical walk-through of npm’s dependency resolver: how SemVer ranges become resolved versions, when nested copies appear in node_modules, and why reading a package-lock.json diff is the only reliable supply-chain review.
Technical explainer
Monitoring outbound network traffic from your CI pipelines and developer machines is one of the most effective after-the-fact detections for supply chain attacks. Here's how to set it up.
Technical explainer
Using ^ and ~ in package.json lets npm automatically install new minor and patch versions. Here's why this creates a supply chain attack surface and how to use semver safely.
Technical explainer
Solo founder, two AI assistants, eleven side projects, one real revenue stream. Here is the smallest set of supply-chain hardening you can apply in half an hour and the specific incidents it would have prevented.
Technical explainer
Transitive npm dependencies are the primary supply chain attack surface, not direct dependencies. Here's why, how deep dependency trees amplify risk, and what to do about it.
Technical explainer
Before installing a Python package, you can verify its publisher, release history, download counts, and source code. Here's a step-by-step manual verification process and what Veln automates.
Technical explainer
npm lifecycle scripts and Python build hooks execute shell commands. Here's how the shell execution works, what escape vectors exist, and how Veln catches shell-based supply chain attacks.
Technical explainer
When the procurement form lands, you have 15 questions and a Slack thread. Here are the 20 things you actually need to verify before buying, organized by attack class, and what answers should make you walk away.
Technical explainer
Unexpected license changes in transitive npm and Python dependencies can signal a supply chain compromise. Here's how license verification fits into your security posture.
Technical explainer
LLMs like GPT-4 and Claude sometimes recommend npm and Python packages that don't exist. Attackers register those package names. Here's the risk and how to protect yourself.
Attack post-mortem
PyTorch nightly builds briefly pulled a malicious torchtriton package from public PyPI instead of the internal one. The mechanism is the canonical dependency-confusion attack, and it still works today.
Technical explainer
pip’s backtracking resolver is what decides which version of every Python package gets installed. Here is how it works, what changed in pip 20.3, and how to make builds reproducible with hashed lockfiles.
Attack post-mortem
Three versions of ua-parser-js were briefly published with cryptominer and credential-stealer payloads after the maintainer’s npm account was taken over. A clean illustration of how reach amplifies short exposure windows.
Technical explainer
The lockfile is the source of truth for what your build will install. A field-by-field walk-through of package-lock.json so the next thousand-line lockfile diff in code review is readable in minutes.
Attack post-mortem
In 2024, a malicious version of litellm was published to PyPI and downloaded by developers in less than 5 minutes. Here's what happened, how it worked, and how Veln would have caught it.
Technical explainer
Dependency confusion lets attackers serve malicious packages to your developers by exploiting how npm and pip resolve package names. Here's the exact mechanism, real examples, and defenses.
Technical explainer
npm ci installs strictly from package-lock.json with integrity verification on every package. A small command change with outsized benefits for build reproducibility, performance, and supply-chain hygiene.
Technical explainer
Most supply chain attacks on npm and PyPI have an exposure window of hours to days before threat feeds catch up. Here's what that window looks like, who is most at risk, and what actually closes it.
Security research
PyPI typosquats follow a small set of recurring patterns: transposition, omission, hyphenation variants, prefix and suffix insertion, abandoned-name resurrection. Here is the catalog and what each pattern looks like in the wild.
Technical explainer
npm install executes arbitrary code from the internet with no verification. Here's why that's true by design, what the consequences are, and how Veln adds the verification layer npm doesn't have.
Technical explainer
pip-compile --generate-hashes plus pip install --require-hashes gives you the Python equivalent of npm ci: byte-identical wheels across machines and refusal to install if any artifact’s hash does not match.
Attack post-mortem
The xz utils backdoor was 29 months in the making. The exposure window was approximately 5 hours. Here's the complete timeline and what it teaches us about supply chain security.
Attack post-mortem
The canonical maintainer-handoff supply-chain attack. A polite stranger took over an unmaintained npm package, added a transitive dependency, and shipped a payload that ran only inside one specific cryptocurrency wallet.
Technical explainer
Three Software Bill of Materials formats compete for the same shelf. Here is what each format is good at, where it is used, and how to pick one without overthinking it.
Security research
A research note on detection latency for malicious npm packages: median windows of hours for high-profile cases, days-to-weeks for the long tail, with the data caveats. The implication for defense planning is structural.
Attack post-mortem
In May 2022, two long-stable open-source packages were modified to exfiltrate environment variables. Both fell to the same vector: their maintainers’ email domains had expired and been re-registered.
Technical explainer
npm postinstall is the most common code-execution surface for malicious packages. A taxonomy of the patterns observed in the wild — credential exfiltration, downloaded payloads, obfuscated runtime, conditional triggers — and what reliably catches each one.
Technical explainer
Sigstore replaces long-lived signing keys with short-lived OIDC-issued certificates and a public transparency log. This is the foundation under npm provenance and PyPI Trusted Publishing — here is how the trust chain actually works.
Technical explainer
Trusted Publishing replaces long-lived publish tokens with short-lived OIDC identity assertions from your CI workflow. Setup takes 30 minutes and removes the most-stolen credential class from your infrastructure.
Security research
A taxonomy of the vectors observed across documented npm and PyPI account-takeover incidents: phishing, credential reuse, expired domains, session-token theft, OAuth grants, and social-engineered handoffs. Each with what mitigates it.
Security research
The cooling-period idea — refuse to install brand-new versions until they have been published long enough and observed enough — has a long history in academic literature. Here are the threads of research and why two thresholds beat one.