Protecting your Supabase projects from npm supply chain attacks

Supply chain attacks on Node Package Manager (NPM) are on the rise, with attackers using methods like typosquatting and build pipeline compromises to infiltrate trusted packages and gain access to sensitive credentials. A notable example includes a phony package mimicking Supabase, which was quickly taken down by npm after being reported. In response, Supabase has launched a coordinated effort to enhance security, including publishing a security guide, hardening GitHub Actions, and educating users. The text outlines common patterns of such attacks and suggests several mitigation strategies, such as updating to pnpm 11, pinning package versions, committing lockfiles, and disabling npm install scripts to prevent unauthorized code execution. It emphasizes the importance of verifying package names and maintaining strict control over GitHub Actions to reduce exposure. The closing advice suggests that while these attacks are becoming more frequent and lucrative, effective defenses are available and should be employed proactively to protect systems.