PyPI, npm, and the New Frontline of Software Supply Chain Attacks

This blog explains how attacks on PyPI and npm are shifting toward compromising trusted packages and maintainer accounts, allowing malicious code to spread through legitimate update channels. Because these updates are often pulled automatically into development workflows, they can quietly steal credentials and move across environments. It underscores the need for tighter controls around dependencies, access and CI/CD pipelines to reduce risk.