npm Supply Chain Security: Mistakes I Made Publishing My First Packages

I published four npm packages from a pnpm monorepo in March. Node 22, TypeScript, ~4k lines across the four packages, eleven direct dependencies total. First time publishing anything to npm. Within two weeks I'd almost shipped a .env.example , missed a provenance setting that fails with zero output, and found out that 2FA on npm is basically theater once you start using automation tokens. postinstall Before my first publish I went through every dependency's package.json looking for lifecycle scripts. Took about an hour. The reason: ua-parser-js in 2021, colors + faker in 2022, @ledgerhq/connect-kit in 2023. All compromised through npm. All exploited postinstall. The attack is dead simple: { "scripts" : { "postinstall" : "node ./setup.js" } } Runs on npm install . No prompt, no sandbox. Full user permissions. Read env vars, POST them somewhere, done. pnpm doesn't run lifecycle scripts from deps by default. npm and yarn do. That alone is a reason to use pnpm, honestly. To see which deps