npm supply-chain worms — a sustained wave across the week

Three separate npm-ecosystem supply-chain events were in play across the window, and the pattern is the story. Microsoft attributed the Mastra scope compromise (140+ @mastra packages, postinstall dropper) to North Korea's Sapphire Sleet (covered in the daily on 06-21). JFrog documented PostCSS typosquats from the abdrizak account delivering a Nuitka-compiled Python RAT with Chrome DPAPI credential theft. And on 2026-06-25 Socket reported a fresh Miasma / "Mini Shai-Hulud" worm wave across LeoPlatform/RStreams packages (carried in the daily 06-27), the self-propagating supply-chain worm last seen backdooring @redhat-cloud-services.

The synthesis: the npm registry is under continuous, parallel pressure from a state actor (DPRK), commodity typosquat crews and a self-replicating worm — three different operators, one ecosystem. The common control is the same one npm v12 is about to enforce by default: disable install scripts (--ignore-scripts), pin and review dependencies, and treat CI build-time package resolution as an attack surface. (daily 06-21, daily 06-24, daily 06-27)