Real-time* monitoring of the npm ecosystem's structural integrity
π₯
YES, OBVIOUSLY
Since: always, but specifically since March 31, 2026
CURRENT FIRE LEVEL
π§ fineπ° concerningπ₯ npm
DAYS WITHOUT A SUPPLY CHAIN INCIDENT
0
The counter has never gone above 3
2
Packages compromised this week
1
Source code leaks via .map files
2,388
Combined HN points about npm disasters
π RECENT INCIDENT LOG
π
Mar 31, 2026
axios npm supply chain attack
CRITICAL
RAT dropper injected via stolen maintainer credentials. Malicious plain-crypto-js dependency. Cross-platform payload. 930pts on HN. Your node_modules wept.
πΊοΈ
Mar 31, 2026
Claude Code entire source code leaked via npm source map
CRITICAL
1,900 TypeScript files. 512K lines. Unobfuscated. Found via .map file pointing to Anthropic's R2 bucket. Reveals anti-distillation fake tools, undercover mode, frustration regexes. 1,058pts on HN.
πͺ
Mar 29, 2026
Claude Code runs git reset --hard every 10 min
HIGH
Silently destroying user work. "It's a feature." Developer tears classified as expected behavior.
πͺ
Feb 2026
ClawJacked (7 CVEs)
CRITICAL
WebSocket hijack of local AI agents. Malicious websites brute-force local ports. Self-hosted = self-secured = self-owned.
π¦
Ongoing
node_modules is 47% of your disk
CHRONIC
This is not an incident. This is a lifestyle.
π‘ HELPFUL SUGGESTIONS
β Run npm audit (lol)
β Check if your dependencies have dependencies that have dependencies that are compromised
β Consider a lockfile. Consider a second lockfile for the first lockfile.
β Ask yourself: "Do I really need left-pad?"
β Contemplate the void that is node_modules/
β Accept that the supply chain is a supply chainsaw
* "Real-time" means we checked once and the answer was yes. Happy April 1st. But also, npm really was on fire yesterday. Twice.