b00010111As likely already posted by others, but still relevant to share regarding the npm package madness:
Potential hardening options for npm which can be configured global and on project level:
npm has an option to ignore scripts: ignore-scripts:
Quote from documentation: ‘not run any pre- or post-scripts’
npm (since cli version 11) has an option to set a minimum release age: min-release-age
Quote from documentation: ‘only versions that were available more than given number of days .. will be installed’
Full official documentation: https://docs.npmjs.com/cli/v11/using-npm/config
Note: I have not tested these options. And keep in mind actors will always adopt to measure taken by defenders.
