Beyond the Hijack: A Guide to Proactively Securing your npm Dependencies with JFrog Curation

In September 2025, the developer community witnessed the largest npm supply chain attack in history. Attackers compromised over 200 popular packages and released more than 500 malicious versions, accounting for over 2 billion weekly downloads. The simplicity of the attack—stealing a single developer’s credentials—highlighted a critical flaw in most DevSecOps programs: security remains reactive, not proactive.

Attackers are masters at exploiting the time window between a new open-source package release and the discovery of its malicious nature. To truly secure your software supply chain, you must strategically shift from a reactive process to a proactive defense that preemptively blocks ‘risky’ packages before they ever enter your development environment.

Fortunately, organizations with the right policies in place were completely protected during the npm attack, as the malicious packages were blocked automatically. This guide provides a step-by-step playbook for implementing a proactive defense that can help protect your organization from current and future software supply chain threats.