🚀 New Releases

30,000 npm Packages a Day: GitHub's Fight to Stop Supply Chain Poisoning

Every day, 30,000 packages hit npm—hundreds laced with malware. GitHub's cracking down on supply chain attacks starting in Actions workflows.

Priya Sundaram 📅 Apr 02, 2026 ⏱️ 4 min read 👁️ 0 views
GitHub Actions workflow diagram with security locks on npm packages and secrets vault

⚡ Key Takeaways

  • Pin Actions to full SHAs and enable CodeQL to block 90% of workflow exploits.
  • Trusted publishing via OIDC eliminates secrets, breaking attack chains in npm and beyond.
  • GitHub's scanning 30k daily npm publishes—malware detections are accelerating.

🧠 What's your take on this?

Cast your vote and see what DevTools Feed readers think

Priya Sundaram
Written by

Priya Sundaram

Hardware and infrastructure reporter. Tracks GPU wars, chip design, and the compute economy.

#CodeQL #GitHub Actions #open source security #supply chain attacks #supply chain security #trusted publishing

Worth sharing?

Get the best Developer Tools stories of the week in your inbox — no noise, no spam.

Originally reported by GitHub Blog

Related Stories

📬

Stay in the loop

The week's most important stories from DevTools Feed, delivered once a week.

No spam. Unsubscribe any time.