🚀 New Releases

30,000 npm Packages a Day: GitHub's Fight to Stop Supply Chain Poisoning

Every day, 30,000 packages hit npm—hundreds laced with malware. GitHub's cracking down on supply chain attacks starting in Actions workflows.

DevTools Feed Apr 02, 2026 4 min read
GitHub Actions workflow diagram with security locks on npm packages and secrets vault

⚡ Key Takeaways

  • Pin Actions to full SHAs and enable CodeQL to block 90% of workflow exploits.
  • Trusted publishing via OIDC eliminates secrets, breaking attack chains in npm and beyond.
  • GitHub's scanning 30k daily npm publishes—malware detections are accelerating.
Published by

DevTools Feed

Ship faster. Build smarter.

#CodeQL #GitHub Actions #open source security #supply chain attacks #supply chain security #trusted publishing

Worth sharing?

Get the best Developer Tools stories of the week in your inbox — no noise, no spam.

Originally reported by GitHub Blog

Related Stories

📬

Stay in the loop

The week's most important stories from DevTools Feed, delivered once a week.

No spam. Unsubscribe any time.