Blog
Attack post-mortems, technical explainers, and product notes focused on npm and Python. Named attacks, specific dates, no filler.
Latest
Security research
When LLMs hallucinate plausible-sounding package names, attackers register those names and publish stubs with malicious payloads. The inverse of typosquatting — the model produced the name, not the developer.
Product update
Veln’s cooling gate ships with two defaults: minimum 2 hours since publication and minimum 10 community observations. Here is why those numbers, when to tune them, and how approval paths interact with the gate.
Attack post-mortem
Self-replicating npm worms scrape publish tokens from infected developer machines and use them to publish malicious versions of every package those tokens can reach. Here is the propagation pattern, why it scales, and what reduces the blast radius.
Technical explainer
A practical walk-through of npm’s dependency resolver: how SemVer ranges become resolved versions, when nested copies appear in node_modules, and why reading a package-lock.json diff is the only reliable supply-chain review.
Attack post-mortem
PyTorch nightly builds briefly pulled a malicious torchtriton package from public PyPI instead of the internal one. The mechanism is the canonical dependency-confusion attack, and it still works today.
Technical explainer
pip’s backtracking resolver is what decides which version of every Python package gets installed. Here is how it works, what changed in pip 20.3, and how to make builds reproducible with hashed lockfiles.
Attack post-mortem
Three versions of ua-parser-js were briefly published with cryptominer and credential-stealer payloads after the maintainer’s npm account was taken over. A clean illustration of how reach amplifies short exposure windows.
Technical explainer
The lockfile is the source of truth for what your build will install. A field-by-field walk-through of package-lock.json so the next thousand-line lockfile diff in code review is readable in minutes.
Attack post-mortem
In 2024, a malicious version of litellm was published to PyPI and downloaded by developers in less than 5 minutes. Here's what happened, how it worked, and how Veln would have caught it.
Technical explainer
Dependency confusion lets attackers serve malicious packages to your developers by exploiting how npm and pip resolve package names. Here's the exact mechanism, real examples, and defenses.
Technical explainer
npm ci installs strictly from package-lock.json with integrity verification on every package. A small command change with outsized benefits for build reproducibility, performance, and supply-chain hygiene.
Technical explainer
Most supply chain attacks on npm and PyPI have an exposure window of hours to days before threat feeds catch up. Here's what that window looks like, who is most at risk, and what actually closes it.
Security research
PyPI typosquats follow a small set of recurring patterns: transposition, omission, hyphenation variants, prefix and suffix insertion, abandoned-name resurrection. Here is the catalog and what each pattern looks like in the wild.
Technical explainer
npm install executes arbitrary code from the internet with no verification. Here's why that's true by design, what the consequences are, and how Veln adds the verification layer npm doesn't have.
Technical explainer
pip-compile --generate-hashes plus pip install --require-hashes gives you the Python equivalent of npm ci: byte-identical wheels across machines and refusal to install if any artifact’s hash does not match.
Attack post-mortem
The xz utils backdoor was 29 months in the making. The exposure window was approximately 5 hours. Here's the complete timeline and what it teaches us about supply chain security.
Attack post-mortem
The canonical maintainer-handoff supply-chain attack. A polite stranger took over an unmaintained npm package, added a transitive dependency, and shipped a payload that ran only inside one specific cryptocurrency wallet.
Technical explainer
Three Software Bill of Materials formats compete for the same shelf. Here is what each format is good at, where it is used, and how to pick one without overthinking it.
Security research
A research note on detection latency for malicious npm packages: median windows of hours for high-profile cases, days-to-weeks for the long tail, with the data caveats. The implication for defense planning is structural.
Attack post-mortem
In May 2022, two long-stable open-source packages were modified to exfiltrate environment variables. Both fell to the same vector: their maintainers’ email domains had expired and been re-registered.
Technical explainer
npm postinstall is the most common code-execution surface for malicious packages. A taxonomy of the patterns observed in the wild — credential exfiltration, downloaded payloads, obfuscated runtime, conditional triggers — and what reliably catches each one.
Technical explainer
npm audit checks against known CVE databases and misses every zero-day supply chain attack. Here's exactly what npm audit does, its false positive problem, and how to use it correctly.
Technical explainer
Veln Consensus compares the hash of every package you download against other Veln users worldwide. Here's how it detects targeted attacks that few other tools can catch.
Technical explainer
GitHub Actions workflows are a prime target for supply chain attacks. Here's how to secure your npm and Python installs, pin action versions, and use Veln in CI.
Attack post-mortem
In January 2022, the developer of colors.js and faker.js deliberately shipped broken, infinite-loop versions of both packages. Here's what happened and what it means for supply chain trust.
Technical explainer
Your CI pipeline installed a malicious npm or Python package. Here's the exact incident response process: what to investigate, what to rotate, and how to prevent recurrence.
Technical explainer
Sigstore replaces long-lived signing keys with short-lived OIDC-issued certificates and a public transparency log. This is the foundation under npm provenance and PyPI Trusted Publishing — here is how the trust chain actually works.
Technical explainer
uv, pip, and poetry have different security properties. Here's a comparison of lockfile security, hash verification, and supply chain protections for each Python package manager.
Attack post-mortem
In March 2022, the node-ipc npm package was modified to delete files on computers in Russia and Belarus. Here's what happened, why it was unprecedented, and what it means for supply chain trust.
Technical explainer
npm now supports build provenance via Sigstore. Here's what it is, how it works, what attacks it prevents, and where it leaves gaps that Veln fills.
Technical explainer
Trusted Publishing replaces long-lived publish tokens with short-lived OIDC identity assertions from your CI workflow. Setup takes 30 minutes and removes the most-stolen credential class from your infrastructure.
Technical explainer
If you publish npm packages, here's how to protect your account, secure your CI publishing pipeline, avoid patterns that trigger security scanners, and use npm provenance.
Technical explainer
A deep dive into securing Python package installs in Docker: multi-stage builds, non-root users, read-only filesystems, Buildkit secrets, and Veln in CI.
Technical explainer
ML and AI projects are uniquely exposed to supply chain attacks: large dependency trees, frequent new packages, cloud credentials, and model weights. Here's how to protect them.
Security research
A taxonomy of the vectors observed across documented npm and PyPI account-takeover incidents: phishing, credential reuse, expired domains, session-token theft, OAuth grants, and social-engineered handoffs. Each with what mitigates it.
Attack post-mortem
SolarWinds is the most famous supply chain attack. Here's what actually happened, how it compares to npm and PyPI attacks, and what lessons apply to package manager security.
Technical explainer
Python virtual environments isolate packages between projects but don't protect against malicious packages. Here's what venv actually does for security and what additional steps are needed.
Technical explainer
npm scopes (@company/package) are your first line of defense against dependency confusion attacks. Here's how to configure them correctly and what can still go wrong.
Security research
The cooling-period idea — refuse to install brand-new versions until they have been published long enough and observed enough — has a long history in academic literature. Here are the threads of research and why two thresholds beat one.
Technical explainer
A review of the current state of npm and PyPI security in 2026: what's improved, what remains broken, the most common attack patterns, and where the gaps still are.
Attack post-mortem
In November 2024, aiocpa — a Python library for the CryptoPay API — had a malicious update published that exfiltrated seed phrases and private keys. Here's the full breakdown.
Technical explainer
Veln assigns a trust score from 0–100 to every package install. Here's exactly what signals contribute to the score, what drives each verdict, and how to interpret the results.
Technical explainer
When Veln blocks or warns on a package, it produces a detailed report. Here's how to read every section of the report and decide what to do next.
Technical explainer
AWS credentials are the most commonly targeted secret in npm and PyPI supply chain attacks. Here's the specific patterns attackers use, why AWS is targeted, and how to protect your credentials.
Technical explainer
Abandoned and under-maintained npm and PyPI packages are a primary supply chain attack vector. Here's why maintainer burnout creates security risk and what developers can do about it.
Technical explainer
Private npm and PyPI registries (Artifactory, Nexus, Verdaccio) introduce unique security risks. Here's how to configure them securely and what Veln adds.
Technical explainer
npm automation tokens with full account access are the norm. Here's how to use granular npm access tokens, scope them to specific packages, and limit the blast radius if a token is stolen.
Technical explainer
CI caches for npm and Python can persist malicious packages across builds and across time. Here's which caching strategies are safe, which are risky, and how to configure them correctly.
Technical explainer
Monitoring outbound network traffic from your CI pipelines and developer machines is one of the most effective after-the-fact detections for supply chain attacks. Here's how to set it up.
Technical explainer
Using ^ and ~ in package.json lets npm automatically install new minor and patch versions. Here's why this creates a supply chain attack surface and how to use semver safely.
Technical explainer
Transitive npm dependencies are the primary supply chain attack surface, not direct dependencies. Here's why, how deep dependency trees amplify risk, and what to do about it.
Technical explainer
Before installing a Python package, you can verify its publisher, release history, download counts, and source code. Here's a step-by-step manual verification process and what Veln automates.
Technical explainer
npm lifecycle scripts and Python build hooks execute shell commands. Here's how the shell execution works, what escape vectors exist, and how Veln catches shell-based supply chain attacks.
Technical explainer
Unexpected license changes in transitive npm and Python dependencies can signal a supply chain compromise. Here's how license verification fits into your security posture.
Technical explainer
LLMs like GPT-4 and Claude sometimes recommend npm and Python packages that don't exist. Attackers register those package names. Here's the risk and how to protect yourself.