Npm - 1

2026 (4)

April (2)

github: npm trusted publishing now supports CircleCI

GitHub

2026-04-07

npm trusted publishing now supports CircleCI as an OIDC provider for publishing packages to npm. Maintainers can authenticate from CircleCI workflows without stored credentials, alongside existing support for GitHub Actions and GitLab CI/CD.

security: Mitigating the Axios npm supply chain compromise

Microsoft Security Blog

2026-04-01

Microsoft reports that Axios was compromised in a March 31, 2026 npm supply chain attack. Two newly published version-update packages were used to download from command-and-control infrastructure, which Microsoft Threat Intelligence attributes to the North Korean actor Sapphire Sleet.

March (1)

github: Dependabot now detects malware in npm dependencies

GitHub

2026-03-17

Dependabot can now alert on npm dependencies that match known malware advisories. When malware alerting is enabled, it checks repository npm dependencies against malicious package versions.

February (1)

github: npm bulk trusted publishing config and script security now generally available

GitHub

2026-02-18

npm CLI v11.10.0+ adds bulk management for OIDC trusted publishing configurations and makes a script security feature generally available.