When \u2018minimal impact\u2019 isn\u2019t reassuring: lessons from the largest npm supply chain compromise | CyberScoop<\/title> <meta name=\"description\" content=\"The scale of this incident should serve as a wake-up call for the industry. Even though the financial fallout has been labeled \u201cminimal,\u201d attackers were able to compromise packages at the very core of the JavaScript ecosystem. That reality should concern every developer, security leader, and policymaker.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/npm-supply-chain-compromise-brian-fox-sonatype-op-ed\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"When \u2018minimal impact\u2019 isn\u2019t reassuring: lessons from the largest npm supply chain compromise\"> <meta property=\"og:description\" content=\"The scale of this incident should serve as a wake-up call for the industry. Even though the financial fallout has been labeled \u201cminimal,\u201d attackers were able to compromise packages at the very core of the JavaScript ecosystem. That reality should concern every developer, security leader, and policymaker.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/npm-supply-chain-compromise-brian-fox-sonatype-op-ed\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-09-15T13:21:27+00:00\"> <meta property=\"article:modified_time\" content=\"2025-09-15T13:21:30+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise-2.jpg\"> <meta property=\"og:image:width\" content=\"2121\"> <meta property=\"og:image:height\" content=\"1193\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1754500264g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1757443701g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/85982\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=85982\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnpm-supply-chain-compromise-brian-fox-sonatype-op-ed%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnpm-supply-chain-compromise-brian-fox-sonatype-op-ed%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-85982 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/npm-supply-chain-compromise-brian-fox-sonatype-op-ed\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.879912663755\">\n<div class=\"single-article__header-content\" readability=\"35.2425\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/npm-supply-chain-compromise-brian-fox-sonatype-op-ed\/\"> <span>Commentary<\/span> <\/a> <\/li>\n<\/ul>\n<p> Commentary that downplays the compromise\u2019s impact misses the point, the co-founder of Sonatype argues. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/85982\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"APT33\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise-2.jpg 2121w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise-2.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise-2.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> APT33 changed their code after a report in March. (Getty) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"55.355420749728\"><body readability=\"111.34295227525\"><\/p>\n<p>Earlier this week, Aikido Security disclosed what is being described as the largest npm supply chain compromise to date. Attackers successfully injected malicious code into 18 popular npm packages, collectively accounting for more than 2.6 billion weekly downloads. The entire campaign began not with a technical exploit, but with a single, well-trained maintainer clicking on a convincingly crafted phishing email.<\/p>\n<p>The scale of this incident should serve as a wake-up call for the industry. Even though the financial fallout has been labeled \u201cminimal,\u201d attackers were able to compromise packages at the very core of the JavaScript ecosystem. That reality should concern every developer, security leader, and policymaker.<\/p>\n<p>We can\u2019t afford to normalize these events as routine, low-stakes occurrences. Each successful package takeover exposes the fragility of our collective software infrastructure. The fact that defenders managed to contain this \u201cleaking roof\u201d in time should not reassure us \u2014 it should motivate us to act before the next one.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-anatomy-of-the-compromise\">Anatomy of the compromise<\/h4>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The attack began with a familiar but effective tactic: account takeover. According to Aikido, attackers tricked the maintainer of the affected libraries using a phishing email impersonating npm support, requesting a two-factor authentication update. With those stolen credentials in hand, the attackers published malicious versions of popular packages \u2014 including <em>chalk<\/em> and <em>debug<\/em> \u2014 by modifying their index.js files.<\/p>\n<p>The injected payload was designed to hijack cryptocurrency transactions. By monitoring browser APIs like fetch, XMLHttpRequest, and wallet interfaces such as window.ethereum, the malware could redirect funds to attacker-controlled addresses.<\/p>\n<p>Fortunately, the malicious versions were identified within minutes and publicly disclosed within the hour. This rapid response helped prevent widespread damage. Still, millions of developers pulled compromised versions during that brief window \u2014 a reminder of how much trust we place in open source infrastructure and how quickly that trust can be exploited.<\/p>\n<p>Adding to the picture,<a href=\"https:\/\/www.sonatype.com\/blog\/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack\"> further research<\/a> has revealed that additional npm packages were hijacked as part of this campaign, including <em>duckdb<\/em>, which alone sees nearly 150,000 downloads per week. These findings reinforce the breadth of the operation and highlight how difficult it is to measure the full scope of supply chain compromises in real time.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-a-playbook-that-s-here-to-stay\">A playbook that\u2019s here to stay<\/h4>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>This compromise was not an isolated incident. Package takeovers have become a standard tactic for threat actors because they provide unmatched reach: compromise one popular project, and you instantly gain access to millions of downstream systems. <\/p>\n<p>We have seen this strategy become a key tool for advanced persistent threats (APTs), including groups like<a href=\"https:\/\/www.sonatype.com\/blog\/sonatype-uncovers-global-espionage-campaign-in-open-source-ecosystems\"> Lazarus most recently<\/a>. Package takeovers allow them to infiltrate massive portions of the world\u2019s developer population by targeting a single under-resourced project.<\/p>\n<p>The npm ecosystem is not unique in this regard. Whether it\u2019s PyPI, RubyGems, or Maven Central, package registries are critical distribution points in the modern software supply chain. They represent single points of failure that adversaries will continue to exploit.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-the-it-wasn-t-that-bad-narrative\">The \u201cit wasn\u2019t that bad\u201d narrative<\/h4>\n<p>Since disclosure, some industry commentary has downplayed the incident. Reports note that the attackers appear to have stolen just a handful of crypto assets: roughly 5 cents of ETH and $20 worth of a small memecoin.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>But this framing is short-sighted. The true cost is not the stolen cryptocurrency; it\u2019s the thousands of hours of engineering and security work required worldwide to clean up compromised environments, not to mention the contracts, compliance requirements, and audits that inevitably follow. <\/p>\n<p>What\u2019s also striking is how quickly attackers are now able to act. In this case, malicious versions of npm packages were downloaded potentially millions of times within minutes. The same pattern has played out for years in vulnerability exploitation \u2014 from HeartBleed to Equifax \u2014 where the time between disclosure and exploitation has shrunk to nearly zero.<\/p>\n<p>The \u201cminimal impact\u201d narrative risks lulling organizations into complacency. It encourages a mindset where each incident is dismissed as \u201clow risk\u201d until one day, it isn\u2019t.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-what-needs-to-change\">What needs to change<\/h4>\n<p>Focusing on what didn\u2019t happen ignores the reality that attackers had the opportunity to hit far harder. This incident underscores several urgent priorities, including:<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<ul class=\"wp-block-list\">\n<li><strong>Strengthen maintainer security:<\/strong> Package maintainers are the new frontline of cyberattacks. Protecting their accounts with phishing-resistant authentication, hardware keys, and stronger identity protections must become the norm, not the exception.<\/li>\n<li><strong>Improve ecosystem-level safeguards:<\/strong> Registries must continue to invest in stronger safeguards, such as mandatory MFA, anomaly detection for unusual publishing activity, and proactive monitoring for malicious code patterns.<\/li>\n<li><strong>Shift industry mindset:<\/strong> Organizations need to treat every compromise of a widely used package as a major security incident \u2014 even if the immediate payload looks trivial. A malicious package should trigger the same urgency as a zero-day exploit, because the potential blast radius is just as large.<\/li>\n<li><strong>Invest in supply chain visibility:<\/strong> Software bills of materials (SBOMs) and automated dependency tracking are essential. Enterprises must be able to quickly identify whether they\u2019re pulling compromised versions and take immediate action.<\/li>\n<\/ul>\n<p>This npm compromise may go down as the \u201clargest to-date,\u201d but its significance has little to do with its size or the negligible cryptocurrency stolen. Its importance lies in what it reveals about the state of modern software security: our trust in open-source infrastructure is more fragile than we like to admit, and attackers know it.<\/p>\n<p>If we keep measuring the significance of these breaches only by their immediate dollar impact, we\u2019ve missed the point. This was like catching a leaking roof before the storm \u2014 the damage was limited only because it was discovered quickly. Next time, we may not be so fortunate.<\/p>\n<p><em>Brian Fox is co-founder and CTO at Sonatype. <\/em><\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"0.69421487603306\">\n<div class=\"author-card\" readability=\"7\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise-1.jpg?w=640&ssl=1\" alt=\"Brian Fox\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Brian Fox<\/h4>\n<p> Brian Fox is the founder and CTO of Sonatype. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/npm-supply-chain-compromise-brian-fox-sonatype-op-ed\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When \u2018minimal impact\u2019 isn\u2019t reassuring: lessons from the largest npm<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[280,78,3875,2807,4977,649],"tags":[284,86,3877,2808,4981,652],"class_list":["post-7987","post","type-post","status-publish","format-standard","hentry","category-commentary","category-cybersecurity","category-npm","category-op-ed","category-sonatype","category-supply-chain-security","tag-commentary","tag-cybersecurity","tag-npm","tag-op-ed","tag-sonatype","tag-supply-chain-security"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/commentary\/\" rel=\"category tag\">Commentary<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/npm\/\" rel=\"category tag\">npm<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/op-ed\/\" rel=\"category tag\">op-ed<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sonatype\/\" rel=\"category tag\">Sonatype<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain-security\/\" rel=\"category tag\">supply chain security<\/a>","tag_info":"supply chain security","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7987","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7987"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7987\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7987"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7987"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7987"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7987,"date":"2025-09-15T08:21:27","date_gmt":"2025-09-15T13:21:27","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=85982"},"modified":"2025-09-15T08:21:27","modified_gmt":"2025-09-15T13:21:27","slug":"when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/09\/15\/when-minimal-impact-isnt-reassuring-lessons-from-the-largest-npm-supply-chain-compromise\/","title":{"rendered":"When \u2018minimal impact\u2019 isn\u2019t reassuring: lessons from the largest npm supply chain compromise"},"content":{"rendered":"