In December 2025, in response to the Sha1-Hulud incident, npm completed a major authentication overhaul intended to reduce supply-chain attacks. While the overhaul is a solid step forward, the changes dont make npm projects immune from supply-chain attacks. npm is still susceptible to malware attacks heres what you need to know for a safer Node community. Lets start with the original