Over the past couple of years, npm hasn’t necessarily become less secure, but the ecosystem has grown and the attack surface has grown with it. What we’re seeing now is a combination of several long-standing issues converging:

1. The ecosystem is enormous, and attackers follow the scale

npm is the largest public package registry in the world. Attackers target it for the same reason they target popular cloud providers or browsers: one small foothold can give access to thousands of downstream apps.

This has led to:

• Typosquatting / look-alike packages
• Dependency hijacks (especially abandoned packages)
• Malicious maintainers or compromised accounts

These patterns aren’t new, but they’re more frequent simply because npm is bigger than ever.

2. Increased detection makes incidents seem more common

Security companies and independent researchers have dramatically increased automation around npm package scanning. Many attacks that would have gone unnoticed five years ago are now getting caught within minutes or hours.

So part of the “increase” is actually better visibility and faster reporting, not a sudden collapse in security.

3. Maintainer burnout is real

A huge portion of npm’s ecosystem is maintained by:

• Solo developers
• Volunteers
• People with limited time or no funding

Abandoned or rarely maintained packages are prime targets for account takeover or social-engineering attacks. This isn’t an npm-specific problem — it’s the reality of open source at large — but npm feels it more because of the sheer dependency depth common in JS projects.

4. npm has been rolling out security features, but adoption varies

In recent years, npm introduced:

• Mandatory 2FA for top packages
• Scoped tokens and granular publish permissions
• Automated malware detection
• Enhanced provenance / verified publishing (through package signing workflows)

But these tools aren’t yet universally adopted, and attackers take advantage of the long tail of packages with weaker security practices.

5. Most attacks are still small-scale

While the news cycle can make it seem like large modules are constantly compromised, the majority of incidents involve:

• Packages with few downloads
• Short-lived malware uploads
• Automated scanning catching the issue quickly

That doesn’t make the problem trivial, but it’s rarely a catastrophic ecosystem-wide breach.

What helps right now (for maintainers and users)

For maintainers:

• Enable 2FA (preferably “authentication + publish” mode)
• Rotate and scope automation tokens
• Use GitHub’s dependabot alerts and secret scanning
• Adopt verified publishing / package signing if possible
• Treat unsolicited PRs with caution

For users / teams:

• Pin dependencies
• Use tools like Socket, Snyk, or npm-audit for behavior and vulnerability monitoring
• Scan CI/CD pipelines for compromised dependencies
• Prefer mature, actively maintained libraries when possible

Bottom line

What you’re seeing isn’t necessarily a sudden drop in npm’s security — it’s the combination of:

• A massive ecosystem
• More attackers
• Better detection
• Underfunded maintainers
• And a slow transition to stronger security defaults

It feels like more chaos, but part of that is because we’re finally seeing what used to happen silently.