Jeff Bruchado
Back to blog

NPM Adopts Staged Publishing to Contain Malicious Packages

Hello HaWkers, NPM announced a significant change in how new packages are published to the registry. From now on, packages will go through a gradual publishing system, with checks in multiple stages before becoming fully available.

This change comes in response to the increase in supply chain attacks that have affected the JavaScript ecosystem in recent years. Have you already verified if all your dependencies are secure?

The Problem: Supply Chain Attacks

Supply chain attacks have become one of the biggest threats to the JavaScript ecosystem:

Notable recent incidents:

  • Typosquatting packages imitating popular libraries
  • Compromised maintainer accounts
  • Malicious code in updates of legitimate packages
  • Infected transitive dependencies

Concerning statistics:

Year Malicious packages detected Increase
2023 1,200 -
2024 2,800 +133%
2025 5,500 +96%

🚨 Alert: Most malicious packages are only detected after already being installed thousands of times.

The New Publishing System

NPM will implement a staged publishing process:

Stage 1: Initial Quarantine (0-24h)

New packages enter immediate quarantine:

What happens:

  • Package is published but doesn't appear in searches
  • Automated static code analysis
  • Check for known malicious patterns
  • Recursive dependency scan
# Behavior for publishers
npm publish my-package

# Output:
# ✓ Package uploaded successfully
# ⏳ Entering quarantine period (24h)
# ℹ️ Package will be searchable after review
# ℹ️ Direct install via URL available immediately

Stage 2: Automated Analysis (24-48h)

AI systems analyze the package:

Checks performed:

  • Code behavior in sandbox
  • Suspicious network communications
  • Access to sensitive files
  • Code obfuscation patterns
  • Comparison with original source code (if OSS)

Stage 3: Gradual Availability (48h+)

After passing checks:

Progressive release:

  • Day 1-2: Available for direct installation
  • Day 3-5: Appears in searches with "new" warning
  • Day 6-14: Active behavior monitoring
  • Day 15+: "Verified" status if no issues

npm security

Impact For Developers

Package Publishers

If you maintain packages on NPM:

Workflow changes:

// package.json - New options
{
  "name": "my-package",
  "version": "1.0.0",
  "publishConfig": {
    // Request expedited review
    "expeditedReview": true,

    // Link to verified repository
    "repository": "https://github.com/user/repo",

    // Provide identity proofs
    "provenance": true
  }
}

Recommended practices:

  1. Link your package to GitHub repository
  2. Enable provenance for verifiable builds
  3. Maintain consistent publishing history
  4. Use 2FA on your NPM account

Package Consumers

For those installing dependencies:

New flags available:

# Install only verified packages
npm install --verified-only

# View verification status
npm info lodash --security

# Audit with new metrics
npm audit --include-quarantine

Publisher Verification System

NPM also introduces a reputation system:

Trust Levels

// Publisher levels
const publisherTrust = {
  new: {
    level: 0,
    restrictions: 'Full quarantine (48h)',
    packagesPublished: '0-5'
  },

  established: {
    level: 1,
    restrictions: 'Reduced quarantine (12h)',
    packagesPublished: '6-50',
    accountAge: '> 6 months'
  },

  trusted: {
    level: 2,
    restrictions: 'Automated analysis only',
    packagesPublished: '> 50',
    accountAge: '> 2 years',
    verified2FA: true
  },

  verified: {
    level: 3,
    restrictions: 'Instant publishing',
    requirements: [
      'Verified organization',
      'Approved security audit',
      'Contract with NPM'
    ]
  }
};

Verified Organizations

Companies can request verified status:

Benefits:

  • Instant publishing
  • Verification badge
  • Priority support
  • Early security alerts

Requirements:

  • Initial security audit
  • Documented publishing policies
  • Regular credential rotation
  • Defined incident response

Typosquatting Protection

NPM also combats packages with similar names:

Automatic Detection

// Typosquatting detection system
const typosquatDetection = {
  // Check similarity with popular packages
  checkSimilarity: (newPackage, popularPackages) => {
    // Levenshtein distance
    // Phonetic analysis
    // Common typing patterns
  },

  // Examples automatically blocked
  blockedPatterns: [
    'lodash' -> 'l0dash', 'lodsh', 'loadash',
    'express' -> 'expres', 'expresss', 'exprees',
    'react' -> 'reakt', 'raect', 'reactt'
  ],

  // Action when detected
  onDetection: 'quarantine_extended' // 7 days
};

Similar Name Reservation

Popular packages can reserve variations:

# Popular package owners
npm reserve-names lodash --variations

# Automatically reserves:
# - lodash (original)
# - l0dash
# - lodsh
# - loadash
# - lodash-js
# etc.

Enhanced Audit Tools

New tools to verify dependencies:

Expanded NPM Audit

# Full audit with new metrics
npm audit --full

# Output includes:
# - Known vulnerabilities (default)
# - Dependency quarantine status
# - Publisher history
# - Behavior analysis
# - Aggregated risk score

CI/CD Integration

# GitHub Actions example
name: Security Check

on: [push, pull_request]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: NPM Audit
        run: |
          npm audit --audit-level=moderate
          npm audit --quarantine-check
          npm audit --publisher-trust

      - name: Block if quarantined deps
        run: npm ci --verified-only

Implementation Timeline

NPM will implement changes gradually:

Rollout phases:

Phase Date Change
1 January 2026 Quarantine for new publishers
2 March 2026 Reputation system
3 June 2026 Quarantine for all new packages
4 September 2026 Optional mandatory verification
5 2027 Full enforcement

Criticism and Concerns

The community has mixed reactions:

Concerns raised:

  • Delay in publishing urgent patches
  • Additional complexity for maintainers
  • Possible false positives
  • Cost for small projects

NPM responses:

  • Emergency channel for critical patches
  • Reputation system reduces delays
  • ML trained to minimize false positives
  • Free for open source projects

What to Do Now

As a developer, prepare yourself:

Recommended actions:

  1. Enable 2FA on your NPM account
  2. Link packages to GitHub repositories
  3. Review your dependencies with npm audit
  4. Consider using strict lockfiles
  5. Implement verification in CI/CD

Conclusion

NPM staged publishing is a necessary response to the growth of supply chain attacks. While it adds friction to the publishing process, the security benefits outweigh the inconveniences.

For the JavaScript ecosystem as a whole, this represents an important maturation in how we handle dependency security.

If you want to learn more about JavaScript security, I recommend checking out another article: Critical Node.js Vulnerability Allowed Denial of Service Attacks where you'll discover how to keep your servers secure.

Let's go! 🦅

Comments (0)

This article has no comments yet 😢. Be the first! 🚀🦅

Add comments