After the Mini Shai-Hulud npm attack, what security practices are developers actually using for npm/package safety?
The “Mini Shai-Hulud” npm attack feels like a turning point for AI-assisted development and vibe coding.
A lot of developers now rely on AI agents, rapid scaffolding, and quick npm installs without deeply auditing dependencies. But this attack reportedly compromised trusted package publishing itself and targeted CI/CD secrets.
If trusted packages can temporarily become malicious, are we entering a phase where local AI coding workflows become a major supply-chain attack surface?
Curious how other developers are adapting:
- sandboxing?
- isolated dev containers?
- limiting terminal agent permissions?
- dependency scanning?
- avoiding
npx?
Especially interested in hearing from people using AI-assisted coding heavily.
u/UniqZee — 2 days ago