Not trying to start a fire here, but I’m surprised how quickly the 2025 supply chain attack faded from day-to-day conversations.
Compromised npm packages, malicious code slipping in through trusted GitHub repos, and most teams I talk to still update dependencies like nothing happened. Same workflows, same assumptions.
Was this actually a turning point for anyone, or did we collectively decide it was “someone else’s problem”?
20 Views
It definitely changed how I think, even if it didn’t flip everything overnight.
What hit me was how little direct action it took. No shady install commands, no obvious red flags. Just normal dependency updates doing what they’ve always done. That part still makes me uncomfortable.
We’ve slowed things down since then. Fewer auto-merges, more eyeballs on updates. Not perfect, but better than pretending trust is free.
I think a lot of teams quietly absorbed the lesson without saying much.
For us, it wasn’t “npm is unsafe,” it was realizing how much we rely on upstream actors we don’t control. Once something poisoned gets far enough up the chain, you don’t even get a choice.
We tightened CI, locked dependencies harder, and limited what can reach production. Not exciting work, but the incident made it hard to justify not doing it.
What bothered me wasn’t the attack. It was the reaction.
Too many teams treated it like a one-off breach instead of a symptom. Package poisoning worked because our defaults assume goodwill at massive scale. That assumption hasn’t really changed.
If anything, 2025 showed that “we’ll catch it in scanning” is optimistic at best. The real risk is how fast bad code can move before anyone even knows to look.
Don't have an account? Sign up
