Your application is only as secure as its least secure dependency. And you have 1,200 of them.
Instead of attacking your app directly, attackers compromise a dependency you use:
Target: Major Bank's web app
Direct attack: Hard. They have security teams.
Supply chain attack:
1. Find a small npm package used by the bank
2. Compromise the package maintainer's account
3. Publish malicious version of the package
4. Bank auto-updates dependency
5. Malicious code runs inside the bank's trusted build
This has happened. Multiple times. With real consequences.
event-stream (2018): Attacker gained ownership of popular npm package, added code to steal Bitcoin from specific wallets.
ua-parser-js (2021): Package with 8 million weekly downloads compromised, malicious code installed cryptominer and password stealer.
colors.js & faker.js (2022): Maintainer intentionally sabotaged their own popular packages in protest.
XZ Utils (2024): Multi-year sophisticated attack on Linux compression library nearly got backdoor into SSH.
// Typosquatting — one letter off from popular package
npm install lodahs // Instead of lodash
npm install expresss // Instead of express
// Dependency confusion — malicious package with same name as internal package
// If your org uses "@mycompany/auth" internally
// Attacker publishes "mycompany/auth" to public registry
// npm might download the malicious version
// Account takeover — compromised maintainer account
// Direct malicious version push to legitimate package# Don't allow automatic updates
npm ci # Not npm install — uses lockfile exactly
# Pin to exact versions in package.json
"lodash": "4.17.21" # Not "^4.17.21" (^ allows minor updates)npm audit
npx audit-ci --critical # Fail CI on critical vulnerabilitiesGenerate a list of every dependency and their versions for security review:
npx @cyclonedx/cyclonedx-npm --output-file sbom.jsonUse tools like Socket.dev or Snyk to monitor what packages do:
You cannot personally audit 1,200 dependencies. Automated tooling is the only realistic solution. Set it up, automate it in CI, and monitor alerts.