Tag

Security

Trusted Publishing Is Not a Force Field: What June 2026's npm Attacks Changed

June 2026 made the same point four different ways: if an attacker can take over a maintainer account, a GitHub workflow, or a release runner, they can still ship malware through a trusted package path. The fix is to harden the release lane, not just scan the dependency tree.

5 min read