Should we use the latest npm packages or wait for a release to settle?

Two recent incidents have occurred where a user’s npm credentials were compromised and attackers published malicious versions of packages.

Recently, multiple packages belonging to a single maintainer, accounting for two billion weekly downloads, were subject to a email phishing attack.

Last month, the S1ngularity supply chain attack exploited a flawed GitHub Actions workflow in the Nx repo to publish a malicious version of the package on npm, which included a postinstall malware script.

This script attempted to steal GitHub tokens, npm tokens, SSH keys, .env files, crypto wallets, and upload the secrets to public GitHub repositories.

What made this attack stand out was that the attacker used installed cli coding agents (Claude Code/Gemini etc) to search for and harvest sensitive credentials and secrets using prompts.

This forces us to ask what’s more secure, the latest package that has new security fixes, or the latest package that was compromised in a supply chain attack?

There is no simple solution. One possible approach is to use packages that adopt the trusted publisher model and manually verify things before updating dependencies.

References:
Phishing email attack (https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack)
S1ngularity attack (https://nx.dev/blog/s1ngularity-postmortem)