Following the recent npm ecosystem attacks, a new threat emerged: the ‘s1ngularity’ attack, and its subsequent evolution into the ‘Shai-Hulud’ worm. The new attack vector demonstrates a significant escalation in the tactics of malicious actors, moving beyond simple package compromise to target the developer’s environment and even their AI tools.

How did this differ from the previous npm supply chain attack?

Both the intention and vector of the attack were different.

• The ‘s1ngularity’/nx attack was focused on harvesting credentials and data exfiltration.
• The initial entry point was not a phishing attack (which was the vector of the previous attack), instead it exploited a vulnerable GitHub Action, which allowed attackers to steal an npm publishing token.

Notably this was one of the first documented cases of malware using AI command-line tools (like Claude, Gemini, and Q) to assist in identifying and exfiltrating sensitive data.

What actions should you take?

• Block with Deny Rules: as with previous attacks, immediately block any known malicious packages and versions.
• Audit Potential Exposure: Use your Cloudsmith client logs to identify any user or service account that may have pulled down a malicious package.
• Quarantine and Flag with EPM: Enable Enterprise Policy Management (EPM) and Continuous Security. Use policies to automatically quarantine packages that are identified malicious by security feeds like OSV.dev.
• Rotate Credentials: Due to the nature of these attacks, it is critical to immediately revoke and rotate all potentially compromised credentials. Think about implementing ephemeral tokens (using OIDC) or strict policies for short-lived tokens.
• Strengthen Security Practices: implement a more robust security posture. This includes enforcing multifactor authentication, limiting the scope of access tokens, and closely monitoring your CI/CD pipelines for anomalous behaviour.

As with the previous attack, once identified, a simple EPM policy would quarantine malicious packages:

package cloudsmith

default match := false

match if count(malicious_packages) > 0

malicious_packages := [vulnerability.id |
	some vulnerability in input.v0.osv
	startswith(vulnerability.id, "MAL-")
]

The Path Forward

The 's1ngularity' and 'Shai-Hulud' attacks demonstrate that attackers will continue to exploit the trust within the open-source ecosystem. The gap between a zero-day and an n-day is shrinking, and the ability of a threat to self-propagate can cause widespread damage in a matter of hours.

A full list of package Deny Rules

(format:npm) AND (name:^@ahmedhfarag/ngx-perfect-scrollbar$ AND version:^20.0.20$)
(format:npm) AND (name:^@ahmedhfarag/ngx-virtual-scroller$ AND version:^4.0.4$)
(format:npm) AND (name:^@art-ws/common$ AND version:^2.0.28$)
(format:npm) AND (name:^@art-ws/config-eslint$ AND version:^2.0.4$ OR version:^2.0.5$)
(format:npm) AND (name:^@art-ws/config-ts$ AND version:^2.0.7$ OR version:^2.0.8$)
(format:npm) AND (name:^@art-ws/db-context$ AND version:^2.0.24$)
(format:npm) AND (name:^@art-ws/di$ AND version:^2.0.28$ OR version:^2.0.32$)
(format:npm) AND (name:^@art-ws/di-node$ AND version:^2.0.13$)
(format:npm) AND (name:^@art-ws/eslint$ AND version:^1.0.5$ OR version:^1.0.6$)
(format:npm) AND (name:^@art-ws/fastify-http-server$ AND version:^2.0.24$ OR version:^2.0.27$)
(format:npm) AND (name:^@art-ws/http-server$ AND version:^2.0.21$ OR version:^2.0.25$)
(format:npm) AND (name:^@art-ws/openapi$ AND version:^0.1.9$ OR version:^0.1.12$)
(format:npm) AND (name:^@art-ws/package-base$ AND version:^1.0.5$ OR version:^1.0.6$)
(format:npm) AND (name:^@art-ws/prettier$ AND version:^1.0.5$ OR version:^1.0.6$)
(format:npm) AND (name:^@art-ws/slf$ AND version:^2.0.15$ OR version:^2.0.22$)
(format:npm) AND (name:^@art-ws/ssl-info$ AND version:^1.0.9$ OR version:^1.0.10$)
(format:npm) AND (name:^@art-ws/web-app$ AND version:^1.0.3$ OR version:^1.0.4$)
(format:npm) AND (name:^@crowdstrike/commitlint$ AND version:^8.1.1$ OR version:^8.1.2$)
(format:npm) AND (name:^@crowdstrike/falcon-shoelace$ AND version:^0.4.1$ OR version:^0.4.2$)
(format:npm) AND (name:^@crowdstrike/foundry-js$ AND version:^0.19.1$ OR version:^0.19.2$)
(format:npm) AND (name:^@crowdstrike/glide-core$ AND version:^0.34.2$ OR version:^0.34.3$)
(format:npm) AND (name:^@crowdstrike/logscale-dashboard$ AND version:^1.205.1$ OR version:^1.205.2$)
(format:npm) AND (name:^@crowdstrike/logscale-file-editor$ AND version:^1.205.1$ OR version:^1.205.2$)
(format:npm) AND (name:^@crowdstrike/logscale-parser-edit$ AND version:^1.205.1$ OR version:^1.205.2$)
(format:npm) AND (name:^@crowdstrike/logscale-search$ AND version:^1.205.1$ OR version:^1.205.2$)
(format:npm) AND (name:^@crowdstrike/tailwind-toucan-base$ AND version:^5.0.1$ OR version:^5.0.2$)
(format:npm) AND (name:^@ctrl/deluge$ AND version:^7.2.1$ OR version:^7.2.2$)
(format:npm) AND (name:^@ctrl/golang-template$ AND version:^1.4.2$ OR version:^1.4.3$)
(format:npm) AND (name:^@ctrl/magnet-link$ AND version:^4.0.3$ OR version:^4.0.4$)
(format:npm) AND (name:^@ctrl/ngx-codemirror$ AND version:^7.0.1$ OR version:^7.0.2$)
(format:npm) AND (name:^@ctrl/ngx-csv$ AND version:^6.0.1$ OR version:^6.0.2$)
(format:npm) AND (name:^@ctrl/ngx-emoji-mart$ AND version:^9.2.1$ OR version:^9.2.2$)
(format:npm) AND (name:^@ctrl/ngx-rightclick$ AND version:^4.0.1$ OR version:^4.0.2$)
(format:npm) AND (name:^@ctrl/qbittorrent$ AND version:^9.7.1$ OR version:^9.7.2$)
(format:npm) AND (name:^@ctrl/react-adsense$ AND version:^2.0.1$ OR version:^2.0.2$)
(format:npm) AND (name:^@ctrl/shared-torrent$ AND version:^6.3.1$ OR version:^6.3.2$)
(format:npm) AND (name:^@ctrl/tinycolor$ AND version:^4.1.1$ OR version:^4.1.2$)
(format:npm) AND (name:^@ctrl/torrent-file$ AND version:^4.1.1$ OR version:^4.1.2$)
(format:npm) AND (name:^@ctrl/transmission$ AND version:^7.3.1$)
(format:npm) AND (name:^@ctrl/ts-base32$ AND version:^4.0.1$ OR version:^4.0.2$)
(format:npm) AND (name:^@hestjs/core$ AND version:^0.2.1$)
(format:npm) AND (name:^@hestjs/cqrs$ AND version:^0.1.6$)
(format:npm) AND (name:^@hestjs/demo$ AND version:^0.1.2$)
(format:npm) AND (name:^@hestjs/eslint-config$ AND version:^0.1.2$)
(format:npm) AND (name:^@hestjs/logger$ AND version:^0.1.6$)
(format:npm) AND (name:^@hestjs/scalar$ AND version:^0.1.7$)
(format:npm) AND (name:^@hestjs/validation$ AND version:^0.1.6$)
(format:npm) AND (name:^@nativescript-community/arraybuffers$ AND version:^1.1.6$ OR version:^1.1.7$ OR version:^1.1.8$)
(format:npm) AND (name:^@nativescript-community/gesturehandler$ AND version:^2.0.35$)
(format:npm) AND (name:^@nativescript-community/perms$ AND version:^3.0.5$ OR version:^3.0.6$ OR version:^3.0.7$ OR version:^3.0.8$)
(format:npm) AND (name:^@nativescript-community/sqlite$ AND version:^3.5.2$ OR version:^3.5.3$ OR version:^3.5.4$ OR version:^3.5.5$)
(format:npm) AND (name:^@nativescript-community/text$ AND version:^1.6.9$ OR version:^1.6.10$ OR version:^1.6.11$ OR version:^1.6.12$)
(format:npm) AND (name:^@nativescript-community/typeorm$ AND version:^0.2.30$ OR version:^0.2.31$ OR version:^0.2.32$ OR version:^0.2.33$)
(format:npm) AND (name:^@nativescript-community/ui-collectionview$ AND version:^6.0.6$)
(format:npm) AND (name:^@nativescript-community/ui-document-picker$ AND version:^1.1.27$ OR version:^1.1.28$)
(format:npm) AND (name:^@nativescript-community/ui-drawer$ AND version:^0.1.30$)
(format:npm) AND (name:^@nativescript-community/ui-image$ AND version:^4.5.6$)
(format:npm) AND (name:^@nativescript-community/ui-label$ AND version:^1.3.35$ OR version:^1.3.36$ OR version:^1.3.37$)
(format:npm) AND (name:^@nativescript-community/ui-material-bottom-navigation$ AND version:^7.2.72$ OR version:^7.2.73$ OR version:^7.2.74$ OR version:^7.2.75$)
(format:npm) AND (name:^@nativescript-community/ui-material-bottomsheet$ AND version:^7.2.72$)
(format:npm) AND (name:^@nativescript-community/ui-material-core$ AND version:^7.2.72$ OR version:^7.2.73$ OR version:^7.2.74$ OR version:^7.2.75$)
(format:npm) AND (name:^@nativescript-community/ui-material-core-tabs$ AND version:^7.2.72$ OR version:^7.2.73$ OR version:^7.2.74$ OR version:^7.2.75$)
(format:npm) AND (name:^@nativescript-community/ui-material-ripple$ AND version:^7.2.72$ OR version:^7.2.73$ OR version:^7.2.74$ OR version:^7.2.75$)
(format:npm) AND (name:^@nativescript-community/ui-material-tabs$ AND version:^7.2.72$ OR version:^7.2.73$ OR version:^7.2.74$ OR version:^7.2.75$)
(format:npm) AND (name:^@nativescript-community/ui-pager$ AND version:^14.1.36$ OR version:^14.1.37$ OR version:^14.1.38$)
(format:npm) AND (name:^@nativescript-community/ui-pulltorefresh$ AND version:^2.5.4$ OR version:^2.5.5$ OR version:^2.5.6$ OR version:^2.5.7$)
(format:npm) AND (name:^@nexe/config-manager$ AND version:^0.1.1$)
(format:npm) AND (name:^@nexe/eslint-config$ AND version:^0.1.1$)
(format:npm) AND (name:^@nexe/logger$ AND version:^0.1.3$)
(format:npm) AND (name:^@nstudio/angular$ AND version:^20.0.4$ OR version:^20.0.5$ OR version:^20.0.6$)
(format:npm) AND (name:^@nstudio/focus$ AND version:^20.0.4$ OR version:^20.0.5$ OR version:^20.0.6$)
(format:npm) AND (name:^@nstudio/nativescript-checkbox$ AND version:^2.0.6$ OR version:^2.0.7$ OR version:^2.0.8$ OR version:^2.0.9$)
(format:npm) AND (name:^@nstudio/nativescript-loading-indicator$ AND version:^5.0.1$ OR version:^5.0.2$ OR version:^5.0.3$ OR version:^5.0.4$)
(format:npm) AND (name:^@nstudio/ui-collectionview$ AND version:^5.1.11$ OR version:^5.1.12$ OR version:^5.1.13$ OR version:^5.1.14$)
(format:npm) AND (name:^@nstudio/web$ AND version:^20.0.4$)
(format:npm) AND (name:^@nstudio/web-angular$ AND version:^20.0.4$)
(format:npm) AND (name:^@nstudio/xplat$ AND version:^20.0.5$ OR version:^20.0.6$ OR version:^20.0.7$)
(format:npm) AND (name:^@nstudio/xplat-utils$ AND version:^20.0.5$ OR version:^20.0.6$ OR version:^20.0.7$)
(format:npm) AND (name:^@operato/board$ AND version:^9.0.36$ OR version:^9.0.37$ OR version:^9.0.38$ OR version:^9.0.39$ OR version:^9.0.40$ OR version:^9.0.41$ OR version:^9.0.42$ OR version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$ OR version:^9.0.46$)
(format:npm) AND (name:^@operato/data-grist$ AND version:^9.0.29$ OR version:^9.0.35$ OR version:^9.0.36$ OR version:^9.0.37$)
(format:npm) AND (name:^@operato/graphql$ AND version:^9.0.22$ OR version:^9.0.35$ OR version:^9.0.36$ OR version:^9.0.37$ OR version:^9.0.38$ OR version:^9.0.39$ OR version:^9.0.40$ OR version:^9.0.41$ OR version:^9.0.42$ OR version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$ OR version:^9.0.46$)
(format:npm) AND (name:^@operato/headroom$ AND version:^9.0.2$ OR version:^9.0.35$ OR version:^9.0.36$ OR version:^9.0.37$)
(format:npm) AND (name:^@operato/help$ AND version:^9.0.35$ OR version:^9.0.36$ OR version:^9.0.37$ OR version:^9.0.38$ OR version:^9.0.39$ OR version:^9.0.40$ OR version:^9.0.41$ OR version:^9.0.42$ OR version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$ OR version:^9.0.46$)
(format:npm) AND (name:^@operato/i18n$ AND version:^9.0.35$ OR version:^9.0.36$ OR version:^9.0.37$)
(format:npm) AND (name:^@operato/input$ AND version:^9.0.27$ OR version:^9.0.35$ OR version:^9.0.36$ OR version:^9.0.37$ OR version:^9.0.38$ OR version:^9.0.39$ OR version:^9.0.40$ OR version:^9.0.41$ OR version:^9.0.42$ OR version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$ OR version:^9.0.46$)
(format:npm) AND (name:^@operato/layout$ AND version:^9.0.35$ OR version:^9.0.36$ OR version:^9.0.37$)
(format:npm) AND (name:^@operato/popup$ AND version:^9.0.22$ OR version:^9.0.35$ OR version:^9.0.36$ OR version:^9.0.37$ OR version:^9.0.38$ OR version:^9.0.39$ OR version:^9.0.40$ OR version:^9.0.41$ OR version:^9.0.42$ OR version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$ OR version:^9.0.46$)
(format:npm) AND (name:^@operato/pull-to-refresh$ AND version:^9.0.36$ OR version:^9.0.37$ OR version:^9.0.38$ OR version:^9.0.39$ OR version:^9.0.40$ OR version:^9.0.41$ OR version:^9.0.42$)
(format:npm) AND (name:^@operato/shell$ AND version:^9.0.22$ OR version:^9.0.35$ OR version:^9.0.36$ OR version:^9.0.37$ OR version:^9.0.38$ OR version:^9.0.39$)
(format:npm) AND (name:^@operato/styles$ AND version:^9.0.2$ OR version:^9.0.35$ OR version:^9.0.36$ OR version:^9.0.37$)
(format:npm) AND (name:^@operato/utils$ AND version:^9.0.22$ OR version:^9.0.35$ OR version:^9.0.36$ OR version:^9.0.37$ OR version:^9.0.38$ OR version:^9.0.39$ OR version:^9.0.40$ OR version:^9.0.41$ OR version:^9.0.42$ OR version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$ OR version:^9.0.46$)
(format:npm) AND (name:^@teselagen/bounce-loader$ AND version:^0.3.16$ OR version:^0.3.17$)
(format:npm) AND (name:^@teselagen/liquibase-tools$ AND version:^0.4.1$)
(format:npm) AND (name:^@teselagen/range-utils$ AND version:^0.3.14$ OR version:^0.3.15$)
(format:npm) AND (name:^@teselagen/react-list$ AND version:^0.8.19$ OR version:^0.8.20$)
(format:npm) AND (name:^@teselagen/react-table$ AND version:^6.10.19$)
(format:npm) AND (name:^@thangved/callback-window$ AND version:^1.1.4$)
(format:npm) AND (name:^@things-factory/attachment-base$ AND version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$ OR version:^9.0.46$ OR version:^9.0.47$ OR version:^9.0.48$ OR version:^9.0.49$ OR version:^9.0.50$)
(format:npm) AND (name:^@things-factory/auth-base$ AND version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$)
(format:npm) AND (name:^@things-factory/email-base$ AND version:^9.0.42$ OR version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$ OR version:^9.0.46$ OR version:^9.0.47$ OR version:^9.0.48$ OR version:^9.0.49$ OR version:^9.0.50$ OR version:^9.0.51$ OR version:^9.0.52$ OR version:^9.0.53$ OR version:^9.0.54$)
(format:npm) AND (name:^@things-factory/env$ AND version:^9.0.42$ OR version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$)
(format:npm) AND (name:^@things-factory/integration-base$ AND version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$)
(format:npm) AND (name:^@things-factory/integration-marketplace$ AND version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$)
(format:npm) AND (name:^@things-factory/shell$ AND version:^9.0.43$ OR version:^9.0.44$ OR version:^9.0.45$)
(format:npm) AND (name:^@tnf-dev/api$ AND version:^1.0.8$)
(format:npm) AND (name:^@tnf-dev/core$ AND version:^1.0.8$)
(format:npm) AND (name:^@tnf-dev/js$ AND version:^1.0.8$)
(format:npm) AND (name:^@tnf-dev/mui$ AND version:^1.0.8$)
(format:npm) AND (name:^@tnf-dev/react$ AND version:^1.0.8$)
(format:npm) AND (name:^@ui-ux-gang/devextreme-angular-rpk$ AND version:^24.1.7$)
(format:npm) AND (name:^@yoobic/design-system$ AND version:^6.5.17$)
(format:npm) AND (name:^@yoobic/jpeg-camera-es6$ AND version:^1.0.13$)
(format:npm) AND (name:^@yoobic/yobi$ AND version:^8.7.53$)
(format:npm) AND (name:^airchief$ AND version:^0.3.1$)
(format:npm) AND (name:^airpilot$ AND version:^0.8.8$)
(format:npm) AND (name:^angulartics2$ AND version:^14.1.1$ OR version:^14.1.2$)
(format:npm) AND (name:^browser-webdriver-downloader$ AND version:^3.0.8$)
(format:npm) AND (name:^capacitor-notificationhandler$ AND version:^0.0.2$ OR version:^0.0.3$)
(format:npm) AND (name:^capacitor-plugin-healthapp$ AND version:^0.0.2$ OR version:^0.0.3$)
(format:npm) AND (name:^capacitor-plugin-ihealth$ AND version:^1.1.8$ OR version:^1.1.9$)
(format:npm) AND (name:^capacitor-plugin-vonage$ AND version:^1.0.2$ OR version:^1.0.3$)
(format:npm) AND (name:^capacitorandroidpermissions$ AND version:^0.0.4$ OR version:^0.0.5$)
(format:npm) AND (name:^config-cordova$ AND version:^0.8.5$)
(format:npm) AND (name:^cordova-plugin-voxeet2$ AND version:^1.0.24$)
(format:npm) AND (name:^cordova-voxeet$ AND version:^1.0.32$)
(format:npm) AND (name:^create-hest-app$ AND version:^0.1.9$)
(format:npm) AND (name:^db-evo$ AND version:^1.1.4$ OR version:^1.1.5$)
(format:npm) AND (name:^devextreme-angular-rpk$ AND version:^21.2.8$)
(format:npm) AND (name:^ember-browser-services$ AND version:^5.0.2$ OR version:^5.0.3$)
(format:npm) AND (name:^ember-headless-form$ AND version:^1.1.2$ OR version:^1.1.3$)
(format:npm) AND (name:^ember-headless-form-yup$ AND version:^1.0.1$)
(format:npm) AND (name:^ember-headless-table$ AND version:^2.1.5$ OR version:^2.1.6$)
(format:npm) AND (name:^ember-url-hash-polyfill$ AND version:^1.0.12$ OR version:^1.0.13$)
(format:npm) AND (name:^ember-velcro$ AND version:^2.2.1$ OR version:^2.2.2$)
(format:npm) AND (name:^encounter-playground$ AND version:^0.0.2$ OR version:^0.0.3$ OR version:^0.0.4$ OR version:^0.0.5$)
(format:npm) AND (name:^eslint-config-crowdstrike$ AND version:^11.0.2$ OR version:^11.0.3$)
(format:npm) AND (name:^eslint-config-crowdstrike-node$ AND version:^4.0.3$ OR version:^4.0.4$)
(format:npm) AND (name:^eslint-config-teselagen$ AND version:^6.1.7$)
(format:npm) AND (name:^globalize-rpk$ AND version:^1.7.4$)
(format:npm) AND (name:^graphql-sequelize-teselagen$ AND version:^5.3.8$)
(format:npm) AND (name:^html-to-base64-image$ AND version:^1.0.2$)
(format:npm) AND (name:^json-rules-engine-simplified$ AND version:^0.2.1$)
(format:npm) AND (name:^jumpgate$ AND version:^0.0.2$)
(format:npm) AND (name:^koa2-swagger-ui$ AND version:^5.11.1$ OR version:^5.11.2$)
(format:npm) AND (name:^mcfly-semantic-release$ AND version:^1.3.1$)
(format:npm) AND (name:^mcp-knowledge-base$ AND version:^0.0.2$)
(format:npm) AND (name:^mcp-knowledge-graph$ AND version:^1.2.1$)
(format:npm) AND (name:^mobioffice-cli$ AND version:^1.0.3$)
(format:npm) AND (name:^monorepo-next$ AND version:^13.0.1$ OR version:^13.0.2$)
(format:npm) AND (name:^mstate-angular$ AND version:^0.4.4$)
(format:npm) AND (name:^mstate-cli$ AND version:^0.4.7$)
(format:npm) AND (name:^mstate-dev-react$ AND version:^1.1.1$)
(format:npm) AND (name:^mstate-react$ AND version:^1.6.5$)
(format:npm) AND (name:^ng2-file-upload$ AND version:^7.0.2$ OR version:^7.0.3$ OR version:^8.0.1$ OR version:^8.0.2$ OR version:^8.0.3$ OR version:^9.0.1$)
(format:npm) AND (name:^ngx-bootstrap$ AND version:^18.1.4$ OR version:^19.0.3$ OR version:^19.0.4$ OR version:^20.0.3$ OR version:^20.0.4$ OR version:^20.0.5$)
(format:npm) AND (name:^ngx-color$ AND version:^10.0.1$ OR version:^10.0.2$)
(format:npm) AND (name:^ngx-toastr$ AND version:^19.0.1$ OR version:^19.0.2$)
(format:npm) AND (name:^ngx-trend$ AND version:^8.0.1$)
(format:npm) AND (name:^ngx-ws$ AND version:^1.1.5$ OR version:^1.1.6$)
(format:npm) AND (name:^oradm-to-gql$ AND version:^35.0.14$ OR version:^35.0.15$)
(format:npm) AND (name:^oradm-to-sqlz$ AND version:^1.1.2$)
(format:npm) AND (name:^ove-auto-annotate$ AND version:^0.0.9$)
(format:npm) AND (name:^pm2-gelf-json$ AND version:^1.0.4$ OR version:^1.0.5$)
(format:npm) AND (name:^printjs-rpk$ AND version:^1.6.1$)
(format:npm) AND (name:^react-complaint-image$ AND version:^0.0.32$)
(format:npm) AND (name:^react-jsonschema-form-conditionals$ AND version:^0.3.18$)
(format:npm) AND (name:^remark-preset-lint-crowdstrike$ AND version:^4.0.1$ OR version:^4.0.2$)
(format:npm) AND (name:^rxnt-authentication$ AND version:^0.0.3$ OR version:^0.0.4$ OR version:^0.0.5$ OR version:^0.0.6$)
(format:npm) AND (name:^rxnt-healthchecks-nestjs$ AND version:^1.0.2$ OR version:^1.0.3$ OR version:^1.0.4$ OR version:^1.0.5$)
(format:npm) AND (name:^rxnt-kue$ AND version:^1.0.4$ OR version:^1.0.5$ OR version:^1.0.6$ OR version:^1.0.7$)
(format:npm) AND (name:^swc-plugin-component-annotate$ AND version:^1.9.1$ OR version:^1.9.2$)
(format:npm) AND (name:^tbssnch$ AND version:^1.0.2$)
(format:npm) AND (name:^teselagen-interval-tree$ AND version:^1.1.2$)
(format:npm) AND (name:^tg-client-query-builder$ AND version:^2.14.4$ OR version:^2.14.5$)
(format:npm) AND (name:^tg-redbird$ AND version:^1.3.1$)
(format:npm) AND (name:^tg-seq-gen$ AND version:^1.0.9$ OR version:^1.0.10$)
(format:npm) AND (name:^thangved-react-grid$ AND version:^1.0.3$)
(format:npm) AND (name:^ts-gaussian$ AND version:^3.0.5$ OR version:^3.0.6$)
(format:npm) AND (name:^ts-imports$ AND version:^1.0.1$ OR version:^1.0.2$)
(format:npm) AND (name:^tvi-cli$ AND version:^0.1.5$)
(format:npm) AND (name:^ve-bamreader$ AND version:^0.2.6$)
(format:npm) AND (name:^ve-editor$ AND version:^1.0.1$)
(format:npm) AND (name:^verror-extra$ AND version:^6.0.1$)
(format:npm) AND (name:^voip-callkit$ AND version:^1.0.2$ OR version:^1.0.3$)
(format:npm) AND (name:^wdio-web-reporter$ AND version:^0.1.3$)
(format:npm) AND (name:^yargs-help-output$ AND version:^5.0.3$)
(format:npm) AND (name:^yoo-styles$ AND version:^6.0.326$)

Strengthening your software supply chain starts with understanding where you are today. Our free maturity assessment highlights gaps, benchmarks your current practices, and points you toward practical next steps. Request yours here.