npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders

An npm tooling bug mistakenly applied security-holder metadata to several one-character packages, such as letters and numbers, resulting in the assignment of placeholder versions like 0.0.1-security and the latest dist-tag being moved to this placeholder. Despite this, older versions of the packages remained accessible, and there was no public evidence of package compromise. npm acknowledged the error, attributing it to a tooling mistake, and has since corrected the issue. Developers are advised to check their lockfiles for any placeholder versions to ensure their dependency manager resolved the intended version rather than the temporary placeholder. This incident underscores the impact of registry metadata on software supply chains, as incorrect metadata can lead to confusion even without changes to the actual package code. As of June 9, 2026, npm confirmed that the affected packages are no longer marked incorrectly.