A developer's worst Monday
It's 8:47 AM on Monday, March 31, 2026. Sarah, a senior engineer at a fintech startup, runs npm install to set up a new team member's development environment. Three hours later, her company's AWS credentials, database passwords, and customer API keys are on a server in Pyongyang.
She didn't click a phishing link. She didn't download suspicious software. She simply installed axios, the most popular HTTP library in JavaScript, trusted by millions of developers worldwide. Between 00:21 and 03:20 UTC that morning, a North Korean threat actor known as UNC1069 had compromised the axios maintainer's account and published versions containing WAVESHAPER.V2, a fully functional remote access trojan. In three hours, roughly 3% of axios's user base had pulled the compromised package.
This wasn't an isolated incident. It was the latest in an accelerating pattern that has cost the global economy $60 billion in 2025 alone. And the solution has existed for three years.
Two weeks earlier: the LiteLLM breach
On March 24, 2026, the AI infrastructure package litellm (present in 36% of cloud environments and used by Stripe, Netflix, and Google) was backdoored through a sophisticated attack chain. The threat actor, TeamPCP, compromised the Trivy security scanner's GitHub Action, waited for LiteLLM's CI pipeline to run, harvested the PYPI_PUBLISH_PASSWORD from the CI environment, and published malicious versions. The payload harvested SSH keys, cloud credentials across AWS/GCP/Azure, Kubernetes secrets, database passwords, and cryptocurrency wallets. The malicious versions were live for approximately three hours. LiteLLM gets 3.4 million downloads per day.
Eight years of preventable attacks
These attacks aren't new. They follow a pattern that has repeated since 2018: attacker compromises maintainer credentials, publishes a malicious version using stolen access, millions of downstream projects auto-update, detection takes hours to months while damage is immediate. And in every single case, the same solution would have prevented the attack.
The solution that already exists
In April 2023, PyPI launched Trusted Publishers, a mechanism that eliminates the need for stored credentials entirely. Publishing requires the actual CI/CD pipeline to generate a short-lived OIDC token verified against the registered repository. No tokens to steal. No accounts to compromise. Full cryptographic provenance on every package. npm followed in July 2025. crates.io launched the same month.
The axios attack? Impossible with trusted publishing: the attacker changed the maintainer's email, but couldn't run code from the legitimate axios GitHub repository. The LiteLLM attack? Even with stolen PyPI credentials, the attacker couldn't publish because trusted publishing would have required the actual CI pipeline.
The technology exists. It's free. It works. So why isn't everyone using it?
We analyzed 75 packages
At VulNow, we conducted a comprehensive analysis of the top 25 most-downloaded packages across PyPI, npm, and crates.io over the last 90 days. Combined, these 75 packages represent 175 billion downloads.
| Registry | Trusted Publishing Adoption (top 25) |
|---|---|
| PyPI | 48% |
| npm | 8% |
| crates.io | 8% |
Only 2 of the top 25 npm packages have trusted publishing, both maintained by npm itself. No third-party maintainer in the top 25 has adopted it. The chalk organization alone accounts for 29.7 billion downloads in 90 days. All were compromised in September 2025. None have trusted publishing today.
Packages attacked and still unprotected
Of 24 packages involved in supply chain attacks from 2018 to 2026, only 4 (17%) have adopted trusted publishing. Seven packages from the September 2025 attack remain in the top 25 by downloads. None have trusted publishing.
The numbers
Why isn't everyone using trusted publishing?
Five contributing factors: inertia (packages without active maintainers can't implement changes), complexity perception (OIDC configuration is perceived as difficult despite taking 15 minutes), multi-maintainer coordination (coordinated workflow changes are hard to orchestrate), the "it won't happen to me" assumption (chalk was attacked, still unprotected seven months later), and most structurally: no registry enforces it.
The path forward
For package maintainers: enable trusted publishing today (it takes 15 minutes). For security teams: audit dependencies for trusted publishing status and prioritize packages without attestations in risk assessments. For registry operators: enforce OIDC for all new packages, mandate it for packages previously involved in supply chain attacks, and set deadlines for high-download packages to adopt.
Every npm install is an act of trust. For 92% of the top npm packages, that bet relies entirely on whether a maintainer's email password is strong enough to resist a North Korean APT. That's not security. That's hope. And hope is not a strategy.
This analysis is based on original research examining 75 packages across PyPI, npm, and crates.io, 24 documented supply chain attacks from 2018–2026, and economic data from IBM, Verizon, Munich Re, and other industry sources.