A practical checklist for evaluating npm packages (supply chain attacks, slopsquatting, etc.)
Source: Reddit
Published:
<p>Provenance attestation, OIDC trusted publishing, install script risk, SHA-pinned CI actions, and slopsquatting (where LLMs hallucinate package names and attackers pre-register them). Includes a tiered checklist separating security-critical signals from operational maturity signals. submitted by /