Practical Checklist for Evaluating npm Packages to Mitigate Supply Chain Attacks
SoftwareSupplyChainPackageSecurityOpenSourceSecuritySupplyChainAttacks
The post outlines a checklist for assessing npm packages, focusing on key security risks such as provenance attestation, OIDC trusted publishing, install script risks, SHA-pinned CI actions, and slopsquatting (where attackers register package names hallucinated by LLMs). It presents a tiered structure separating security-critical signals from operational maturity indicators.