The npm registry hosts over 3 million packages and serves 400 million downloads every month, which makes it an attractive target for attackers. In 2025 and 2026, the ecosystem saw a sharp escalation in supply chain attacks: phishing campaigns targeting maintainers, credential theft at scale, and the first self-replicating worms spreading through package dependencies.

In this talk, we'll review the most impactful supply chain attacks of 2025 and 2026, and share an actionable roadmap that defenders can use to harden their build pipelines and developer practices to prevent compromise.