The npm incident frightened everyone, but ended up being nothing to fret about | CyberScoop<\/title> <meta name=\"description\" content=\"Disaster was averted after widely used open-source packages were compromised via social engineering.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/open-source-npm-package-attack\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"The npm incident frightened everyone, but ended up being nothing to fret about\"> <meta property=\"og:description\" content=\"Disaster was averted after widely used open-source packages were compromised via social engineering.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/open-source-npm-package-attack\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-09-10T14:34:59+00:00\"> <meta property=\"article:modified_time\" content=\"2025-09-10T14:35:01+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about-2.jpg\"> <meta property=\"og:image:width\" content=\"2015\"> <meta property=\"og:image:height\" content=\"1488\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1754500264g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1757443701g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/85942\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=85942\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fopen-source-npm-package-attack%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fopen-source-npm-package-attack%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-85942 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/open-source-npm-package-attack\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.147959183673\">\n<div class=\"single-article__header-content\" readability=\"34.090185676393\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/open-source-npm-package-attack\/\"> <span>Technology<\/span> <\/a> <\/li>\n<\/ul>\n<p> Disaster was averted after widely used open-source packages were compromised via social engineering. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/85942\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"473\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about.jpg?resize=640%2C473&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about-2.jpg 2015w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about-2.jpg?resize=300,222 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about-2.jpg?resize=768,567 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about-2.jpg?resize=1024,756 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about-2.jpg?resize=1536,1134 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about-2.jpg?resize=600,443 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about-2.jpg?resize=228,168 228w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about-2.jpg?resize=456,337 456w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about-2.jpg?resize=914,675 914w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about-2.jpg?resize=1142,843 1142w\" sizes=\"(max-width: 914px) 100vw, 914px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"44.672071636012\"><body readability=\"90.829903978052\"><\/p>\n<p>Security professionals and observers across the industry got swept into a pit of fear Monday when an attacker took over and injected malicious code into a series of widely used open-source packages in the node.js package manager, or npm. Despite all that worry, the disaster that many presumed a foregone conclusion was averted and the consequences of the supply-chain attack were short-lived and minimal. <\/p>\n<p>Josh Junon, a developer and maintainer of the impacted software packages, took to social media early Monday to <a href=\"https:\/\/bsky.app\/profile\/bad-at-computer.bsky.social\/post\/3lydioq5swk2y\">confirm his npm account was compromised<\/a> via social engineering \u2014 a two-factor reset email that looked legitimate, he said. The attacker quickly posted updated software packages with payloads designed to intercept, manipulate and redirect cryptocurrency activity, according to researchers.<\/p>\n<p>Apprehension fueled by the popularity of the 18 packages affected \u2014 capturing <a href=\"https:\/\/www.aikido.dev\/blog\/npm-debug-and-chalk-packages-compromised\">more than 2 billion downloads per week<\/a> combined, according to Aikido Security \u2014 pushed some defenders to the brink of full-on freak-out mode. Ultimately, the open-source poisoning attack was successful, but impact was thwarted.<\/p>\n<p>\u201cThere was a lot of fear, uncertainty, and doubt in sensationalized headlines about the attack,\u201d Melissa Bischoping, senior director of security and product design research at Tanium, told CyberScoop. \u201cThe overall blast radius of the attack was relatively small, it was caught quickly, and the incident response process worked as intended. That\u2019s a good news story, not a horror story.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Junon said his account was restored about eight hours after he was duped by the social engineering attack, and infected versions of the packages were available for up to six hours before npm took them down and published stable versions. The most popular of the affected packages include ansi-styles, debug, chalk and supports-color.<\/p>\n<p>Many expected the compromise would result in widespread cryptocurrency theft, but the downstream effects of the attack appear negligible. The attacker\u2019s crypto address showed only $66.52, Arda B\u00fcy\u00fckkaya, senior cyber threat intelligent analyst at EclecticIQ, said in a <a href=\"https:\/\/www.linkedin.com\/posts\/activity-7370907959587024897-ky4u\/\">LinkedIn post<\/a> Monday. <\/p>\n<p>Researchers at blockchain analytics platform Arkham have traced about <a href=\"https:\/\/intel.arkm.com\/explorer\/entity\/bb347405-06a1-4268-a901-4b4e17d93bfa\">$1,027 in stolen cryptocurrency<\/a> to the attack as of Wednesday morning.<\/p>\n<p>\u201cWhile their motivation appears financial, it\u2019s easy to see how this could have been catastrophic and reminds us of the <a href=\"https:\/\/cyberscoop.com\/xz-utils-open-source\/\">XZ Utils breach<\/a> in 2024 and others in recent memory,\u201d Bischoping said. <\/p>\n<p>Researchers from multiple security outfits described the compromise as the largest npm attack on record due to the potential scale of compromise. Fortunately, the attacker\u2019s technical actions tipped off other developers.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThe attackers poorly used a widely known obfuscator, which led to immediate detection shortly after the malicious versions were published,\u201d Andrey Polkovnichenko, security researcher at JFrog, said in a <a href=\"https:\/\/jfrog.com\/blog\/new-compromised-packages-in-largest-npm-attack-in-history\/\">blog post<\/a>. <\/p>\n<p>While the initial wave of the attack was mostly stunted, researchers warn other npm maintainers were targeted and compromised by the same phishing campaign. Other packages known to be impacted include <a href=\"https:\/\/github.com\/advisories\/GHSA-w62p-hx95-gf2c\">duckdb<\/a>, proto-tinker-wc, prebid-universal-creative, prebid and prebid.js, Sonatype researchers said in a <a href=\"https:\/\/www.sonatype.com\/blog\/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack?hs_preview=OeCpEtjm-195727926588\">blog post<\/a> Monday. <\/p>\n<p>\u201cThe open-source community are so often the heroes in our industry,\u201d Bischoping said. \u201cThe passion, dedication, and resilience of the open-source community provide value we all benefit from. Every organization should consider how they can better support, fund and contribute to open-source projects because without them the tech industry would suffer.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.7037037037037\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/open-source-npm-package-attack\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The npm incident frightened everyone, but ended up being nothing<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3548,2701,3734,282,78,4975,679,4976,1365,3875,1073,256,4977,4978,310],"tags":[3561,2704,3736,286,86,4979,680,4980,1366,3877,1076,262,4981,4982,311],"class_list":["post-7977","post","type-post","status-publish","format-standard","hentry","category-aikido-security","category-crypto","category-crypto-crime","category-cybercrime","category-cybersecurity","category-eclecticiq","category-financial","category-jfrog","category-money","category-npm","category-open-source","category-research","category-sonatype","category-tanium","category-technology","tag-aikido-security","tag-crypto","tag-crypto-crime","tag-cybercrime","tag-cybersecurity","tag-eclecticiq","tag-financial","tag-jfrog","tag-money","tag-npm","tag-open-source","tag-research","tag-sonatype","tag-tanium","tag-technology"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/aikido-security\/\" rel=\"category tag\">Aikido Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/crypto\/\" rel=\"category tag\">crypto<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/crypto-crime\/\" rel=\"category tag\">crypto crime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/eclecticiq\/\" rel=\"category tag\">EclecticIQ<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/financial\/\" rel=\"category tag\">Financial<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/jfrog\/\" rel=\"category tag\">JFrog<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/money\/\" rel=\"category tag\">Money<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/npm\/\" rel=\"category tag\">npm<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sonatype\/\" rel=\"category tag\">Sonatype<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/tanium\/\" rel=\"category tag\">Tanium<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a>","tag_info":"Technology","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7977"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7977\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7977,"date":"2025-09-10T09:34:59","date_gmt":"2025-09-10T14:34:59","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=85942"},"modified":"2025-09-10T09:34:59","modified_gmt":"2025-09-10T14:34:59","slug":"the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/09\/10\/the-npm-incident-frightened-everyone-but-ended-up-being-nothing-to-fret-about\/","title":{"rendered":"The npm incident frightened everyone, but ended up being nothing to fret about"},"content":{"rendered":"