Tools

Tools: npm Provenance and SLSA: The Supply Chain Hygiene Baseline Every Team Needs in 2026

2026-04-04 0 views admin
Tools: npm Provenance and SLSA: The Supply Chain Hygiene Baseline Every Team Needs in 2026

What Actually Happened and Why Provenance Did Not Save Them

The SLSA Framework: What Levels Actually Mean

Hardening Your npm Publish Pipeline: The Concrete Steps

Step 1: Enable OIDC Trusted Publishing and Remove Classic Tokens

Step 2: Verify Provenance on Install

Step 3: Lock Your Dependency Graph

Step 4: Pin GitHub Actions References

Step 5: Restrict Workflow Permissions

Verifying Third-Party Packages Before You Install

Where Automated SCA Fits Into This

The Token Hygiene Audit Checklist

What a Hardened Supply Chain Posture Looks Like in Practice On March 31, 2026, threat actors compromised the npm account of an axios maintainer and published two backdoored versions: [email protected] and [email protected]. With roughly 83 million weekly downloads and over 2 million dependent packages, it became one of the most consequential supply chain attacks ever recorded against the JavaScript ecosystem. Here is the part that stings: the axios project had done almost everything right. They had npm OIDC Trusted Publishing configured. They had SLSA provenance attestations on their releases. And none of it mattered, because a legacy "classic" npm token was still active in the environment. npm's OIDC Trusted Publishing works by linking package publication to a specific GitHub Actions workflow run. When you publish with provenance enabled, the registry records a cryptographic attestation: this version of this package was built by this workflow at this commit hash. Consumers can verify the attestation before installing. The critical flaw is in npm's authentication hierarchy. When both a classic token and OIDC credentials exist for an account, the classic token takes precedence. The attackers did not need to compromise the CI/CD pipeline, defeat the OIDC trust model, or forge attestations. They found and used a legacy token that bypassed all of it. ⚠️ If your npm account has both OIDC Trusted Publishing configured AND a classic token still active, the classic token can override all provenance controls. Audit your tokens now at npmjs.com/settings/tokens. SLSA (Supply chain Levels for Software Artifacts) defines four levels of supply chain security: For most teams publishing to npm, SLSA 2 is the realistic near-term target. It requires running builds on a hosted CI platform (GitHub Actions, GitLab CI, etc.) with provenance generation enabled, and publishing via OIDC rather than classic tokens. After enabling OIDC, go to npmjs.com/settings/tokens and revoke all classic publish tokens. Remove NPM_TOKEN from your GitHub secrets. If you need a token for read operations, create a read-only granular access token. This command verifies that every package in your node_modules has a valid cryptographic signature from the registry. Add it as a required, blocking step in your CI pipeline. It adds less than 10 seconds to most installs and catches packages published without provenance. Use npm ci instead of npm install in all CI and production environments. It enforces the lockfile exactly, fails on any deviation, and is faster. The --ignore-scripts flag prevents postinstall hooks from running, which would have prevented the WAVESHAPER.V2 payload from executing in the axios attack. Note: --ignore-scripts may break packages that require build steps on install. Test in development first. For packages that require postinstall, explicitly allowlist them in .npmrc with ignore-scripts-with-allowlist. Tags are mutable. A compromised action repository can push malicious code to an existing tag. SHA pinning ensures you are running exactly the code you reviewed. Use Dependabot with the following config to keep pinned SHAs updated: GitHub Actions workflows default to read permissions on all resources. Explicitly denying permissions at the workflow level and granting only what each job requires limits the blast radius if a step is compromised. Practical heuristic: if a new version of a major dependency lacks provenance attestations and was published via CLI (visible in the package metadata as npm publish rather than a CI workflow), treat it as suspicious and hold the update until provenance is available. A meaningful SCA check in 2026 goes beyond CVE lookups: The ideal SCA check runs locally, before the lockfile change is committed, and before any install happens. This is the only timing that can prevent execution of malicious postinstall code. Run this audit now, before the next attack: The teams that caught the axios attack quickly had several things in common. They enforced npm ci --ignore-scripts in all CI environments. They ran npm audit signatures as a blocking CI step. They had alerting configured for new versions of top-100 dependencies published without provenance attestations. And they had no classic npm tokens active on maintainer accounts. The March 2026 TeamPCP campaign went beyond axios. The same group backdoored the LiteLLM Python package and the Telnyx Node SDK through a cascading trust chain that exploited compromised CI/CD credentials. They also compromised the Trivy security scanner directly, using it to steal cloud credentials from CI pipelines. The attack surface is expanding to include the tools used to audit dependencies. The response is not to trust less but to verify more explicitly. Cryptographic provenance, behavioral analysis, and token hygiene together create a baseline that makes opportunistic supply chain attacks significantly harder to execute at scale. Install LucidShark with npx lucidshark init to run SCA scans locally. It integrates directly with Claude Code via MCP, running dependency verification before your agent installs anything. Your manifest stays on your machine. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

# .github/workflows/publish.yml permissions: contents: read id-token: write # Required for OIDC provenance jobs: publish: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '20' registry-url: 'https://registry.npmjs.org' - run: -weight: 500;">npm ci - run: -weight: 500;">npm publish --provenance --access public env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Use OIDC, not this secret # .github/workflows/publish.yml permissions: contents: read id-token: write # Required for OIDC provenance jobs: publish: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '20' registry-url: 'https://registry.npmjs.org' - run: -weight: 500;">npm ci - run: -weight: 500;">npm publish --provenance --access public env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Use OIDC, not this secret # .github/workflows/publish.yml permissions: contents: read id-token: write # Required for OIDC provenance jobs: publish: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '20' registry-url: 'https://registry.npmjs.org' - run: -weight: 500;">npm ci - run: -weight: 500;">npm publish --provenance --access public env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Use OIDC, not this secret -weight: 500;">npm audit signatures -weight: 500;">npm audit signatures -weight: 500;">npm audit signatures -weight: 500;">npm ci --ignore-scripts -weight: 500;">npm ci --ignore-scripts -weight: 500;">npm ci --ignore-scripts # Vulnerable: uses a mutable tag - uses: actions/checkout@v4 # Hardened: pinned to specific commit SHA - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Vulnerable: uses a mutable tag - uses: actions/checkout@v4 # Hardened: pinned to specific commit SHA - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Vulnerable: uses a mutable tag - uses: actions/checkout@v4 # Hardened: pinned to specific commit SHA - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # .github/dependabot.yml version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" # .github/dependabot.yml version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" # .github/dependabot.yml version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" # At the workflow level, deny all permissions by default permissions: {} jobs: publish: permissions: contents: read id-token: write # Only what this job actually needs # At the workflow level, deny all permissions by default permissions: {} jobs: publish: permissions: contents: read id-token: write # Only what this job actually needs # At the workflow level, deny all permissions by default permissions: {} jobs: publish: permissions: contents: read id-token: write # Only what this job actually needs # Check provenance attestation for a specific package -weight: 500;">npm audit signatures --json | jq '.[] | select(.name == "axios")' # View attestation metadata directly -weight: 500;">npm view [email protected] --json | jq '.dist.attestations' # For the malicious versions: this would return null or an object missing the SLSA predicate # Check provenance attestation for a specific package -weight: 500;">npm audit signatures --json | jq '.[] | select(.name == "axios")' # View attestation metadata directly -weight: 500;">npm view [email protected] --json | jq '.dist.attestations' # For the malicious versions: this would return null or an object missing the SLSA predicate # Check provenance attestation for a specific package -weight: 500;">npm audit signatures --json | jq '.[] | select(.name == "axios")' # View attestation metadata directly -weight: 500;">npm view [email protected] --json | jq '.dist.attestations' # For the malicious versions: this would return null or an object missing the SLSA predicate # List all active -weight: 500;">npm tokens -weight: 500;">npm token list # Revoke specific tokens -weight: 500;">npm token revoke <token-id> # Check for NPM_TOKEN in GitHub Actions secrets # Go to: github.com/{org}/{repo}/settings/secrets/actions # List all active -weight: 500;">npm tokens -weight: 500;">npm token list # Revoke specific tokens -weight: 500;">npm token revoke <token-id> # Check for NPM_TOKEN in GitHub Actions secrets # Go to: github.com/{org}/{repo}/settings/secrets/actions # List all active -weight: 500;">npm tokens -weight: 500;">npm token list # Revoke specific tokens -weight: 500;">npm token revoke <token-id> # Check for NPM_TOKEN in GitHub Actions secrets # Go to: github.com/{org}/{repo}/settings/secrets/actions - SLSA 0: No guarantees. Most -weight: 500;">npm packages today. - SLSA 1: Build process documented and scripted. Provenance exists but not authenticated. - SLSA 2: Build on hosted CI with authenticated provenance. -weight: 500;">npm registry supports this natively. This is where you need to be. - SLSA 3: Build platform itself is hardened. Achievable but requires deliberate effort. - Provenance verification: Does this package version have a valid SLSA attestation from a trusted CI environment? - Behavioral analysis: Are there new network calls, filesystem access patterns, or postinstall scripts compared to the previous version? - Dependency graph diffing: What changed in the full transitive dependency tree between your current and proposed lockfile? - Verify OIDC Trusted Publishing is configured in npmjs.com package settings for all packages you publish - Remove NPM_TOKEN GitHub Actions secrets from all repositories - Rotate any tokens that were used in CI in the last 90 days - Enable -weight: 500;">npm 2FA enforcement at the organization level (npmjs.com/org/{org}/settings) - Review the list of users with publish access to each package

🏷️ Tags

toolsutilitiessecurity toolsprovenancesupplychainhygienebaselineeveryneeds

More from Tools

Tools: Essential Guide: Devices Paralelos Bacula: Configurar 10 Devices para Alta Concorrência

Tools: Essential Guide: Devices Paralelos Bacula: Configurar 10 Devices para Alta Concorrência

2026-04-04 0
Tools: Latest: Why SSH Key Management Is Broken and How Certificates Fix It

Tools: Latest: Why SSH Key Management Is Broken and How Certificates Fix It

2026-04-04 0
Tools: Windows 11 Security Hardening: Practical Steps That Actually Matter (2026)

Tools: Windows 11 Security Hardening: Practical Steps That Actually Matter (2026)

2026-04-04 0
Tools: Report: How to Convert WebP to JPG (5 Free Methods)

Tools: Report: How to Convert WebP to JPG (5 Free Methods)

2026-04-04 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views