3 posts tagged “security”.
Most teams make one of two mistakes with secrets.
The first is obvious.
The second is more common in teams that have already fixed the first one.
Both come from the same misunderstanding about what a .env file is supposed to do.
When something goes wrong with your application's configuration, you need to know what was loaded and where it came from.
Most tools for answering that question either tell you too much or nothing at all.
There's a third option most people haven't considered.
On the 31st of March 2026, attackers hijacked an npm maintainer account and published malicious versions of axios with a remote access trojan baked in. npm pulled the bad releases after about two or three hours, but that was enough. Anyone who ran npm install axios during that window could have installed the trojan. The article Post Mortem: axios npm supply chain compromise has all the details.
This kind of attack keeps happening and the playbook barely changes: compromise an account, push a malicious update, hope people install it before anyone notices, get removed a few hours later.
Every major package manager now lets you defend against this. In this post I'll show you the setup for npm, pnpm, Bun and Yarn.
Read More →