npm Supply-Chain Attack Wave: What Frontend Teams Must Audit Now
A coordinated campaign injected malicious code into 14 widely-used npm packages last week. We break down the affected packages, detection steps for your lockfile, and the one CI flag that catches this.
A coordinated supply-chain attack compromised 14 npm packages last week, some with over 2 million weekly downloads. The attack targeted maintainer accounts through credential stuffing, then published patch versions containing obfuscated malware.
Affected packages (partial list)
| Package | Weekly Downloads | Malicious Version |
|---|---|---|
@scope/utility-helpers |
2.1M | 3.4.1 |
react-form-utils |
850K | 2.9.0 |
dev-server-middleware |
620K | 1.8.3 |
| (11 others confirmed) |
What the malware does
The injected code exfiltrates environment variables and .env file contents to
a command-and-control server. It targets NPM_TOKEN, GITHUB_TOKEN, and any
variable containing KEY, SECRET, or TOKEN.
Immediate actions
1. Audit your lockfile
npm audit --production
# Check for the specific CVE IDs:
# CVE-2026-38471 through CVE-2026-38484
2. Rotate exposed secrets
Any CI environment that installed these packages during the compromise window (May 19–24, 2026) should rotate all secrets immediately.
3. Enable this CI flag
# GitHub Actions
- run: npm install --audit --audit-level=high
# Fails the build on high/critical advisories
Prevention that actually works
- Pin dependencies,
"react-form-utils": "2.8.0"not"^2.8.0" - Use
--auditin CI, fail builds on new advisories - GitHub's npm package provenance, verifies publish origin
- Socket.dev or Snyk, behavioral analysis beyond CVE databases
The bottom line
The attack window was 5 days. If your CI installed any dependency updates
between May 19–24, assume compromise and rotate secrets. The --audit flag
would have caught this, if that flag was on.