← Back to all briefs
Security60s read

npm Supply-Chain Attack Wave: What Frontend Teams Must Audit Now

A coordinated campaign injected malicious code into 14 widely-used npm packages last week. We break down the affected packages, detection steps for your lockfile, and the one CI flag that catches this.

A coordinated supply-chain attack compromised 14 npm packages last week, some with over 2 million weekly downloads. The attack targeted maintainer accounts through credential stuffing, then published patch versions containing obfuscated malware.

Affected packages (partial list)

Package Weekly Downloads Malicious Version
@scope/utility-helpers 2.1M 3.4.1
react-form-utils 850K 2.9.0
dev-server-middleware 620K 1.8.3
(11 others confirmed)

What the malware does

The injected code exfiltrates environment variables and .env file contents to a command-and-control server. It targets NPM_TOKEN, GITHUB_TOKEN, and any variable containing KEY, SECRET, or TOKEN.

Immediate actions

1. Audit your lockfile

npm audit --production
# Check for the specific CVE IDs:
# CVE-2026-38471 through CVE-2026-38484

2. Rotate exposed secrets

Any CI environment that installed these packages during the compromise window (May 19–24, 2026) should rotate all secrets immediately.

3. Enable this CI flag

# GitHub Actions
- run: npm install --audit --audit-level=high
  # Fails the build on high/critical advisories

Prevention that actually works

  1. Pin dependencies, "react-form-utils": "2.8.0" not "^2.8.0"
  2. Use --audit in CI, fail builds on new advisories
  3. GitHub's npm package provenance, verifies publish origin
  4. Socket.dev or Snyk, behavioral analysis beyond CVE databases

The bottom line

The attack window was 5 days. If your CI installed any dependency updates between May 19–24, assume compromise and rotate secrets. The --audit flag would have caught this, if that flag was on.