{"id":6520,"date":"2025-09-16T11:58:08","date_gmt":"2025-09-16T11:58:08","guid":{"rendered":"https:\/\/locaterisk.com\/de\/?p=6520"},"modified":"2026-02-12T14:45:14","modified_gmt":"2026-02-12T14:45:14","slug":"supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen","status":"publish","type":"post","link":"https:\/\/locaterisk.com\/en\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/","title":{"rendered":"Supply chain attack on npm packages: What developers need to know"},"content":{"rendered":"<div class=\"wp-block-lr-blog-article-header-module\">\r\n    <div class=\"content\">\r\n\t\t<div class=\"headline\">\r\n\t\t\t<button class=\"to-blog-button\">Back to Blog                <a href=\"https:\/\/locaterisk.com\/en\/blog\/\"><\/a>\r\n\t\t\t<\/button>\r\n\t\t\t\t\t<\/div>\r\n        <div class=\"main-content\">\r\n\t\t\t\t\t\t<!--\r\n            <div class=\"header\">\r\n                <h6> <\/h6>\r\n            <\/div>\r\n\t\t\t\t\t\t-->\r\n            <h1 class=\"title\">Supply chain attack on npm packages: What developers need to know<\/h1>\r\n            <p class=\"paragraph\">Software is not created in a vacuum. Projects often rely on external packages to save time and extend functions. But these dependencies have a dark side. A recent attack on over 40 npm packages shows how easily attackers can misuse external code. The result: stolen developer credentials and compromised tokens. This article explains how such attacks work and what developers should do now.<\/p>\r\n        <\/div>\r\n    <\/div>\r\n<\/div>\r\n\r\n\r\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<p><\/p>\n\n\n\n<p><\/p>\n<\/div><\/div>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"950\" height=\"554\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2023\/04\/LocateRisk_Geschaeftspartner-Risikomanagement.png\" alt=\"\" class=\"wp-image-4785\" style=\"width:569px;height:auto\" srcset=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2023\/04\/LocateRisk_Geschaeftspartner-Risikomanagement.png 950w, https:\/\/locaterisk.com\/wp-content\/uploads\/2023\/04\/LocateRisk_Geschaeftspartner-Risikomanagement-300x175.png 300w, https:\/\/locaterisk.com\/wp-content\/uploads\/2023\/04\/LocateRisk_Geschaeftspartner-Risikomanagement-768x448.png 768w, https:\/\/locaterisk.com\/wp-content\/uploads\/2023\/04\/LocateRisk_Geschaeftspartner-Risikomanagement-18x10.png 18w\" sizes=\"auto, (max-width: 950px) 100vw, 950px\" \/><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">The vulnerable npm ecosystem<\/h2>\n\n\n\n<p>npm is the heart of the JavaScript world. This is where developers exchange packages and build efficient applications. But it is precisely this openness that criminals are exploiting. Over 40 packages have been compromised. The attackers' goal: stealing data and manipulating build processes. The reach is particularly fatal. A single malicious package upload can affect widely dispersed projects and undermine software quality.<\/p>\n\n\n\n<p>Developers need to be vigilant if packages suddenly receive unusual updates. Security updates should always be checked carefully. Securing build environments is mandatory. If you want a secure code flow, you must not rely solely on the integrity of others. Even small packages can open doors into large systems.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">TruffleHog and GitHub Actions: The attack process<\/h2>\n\n\n\n<p>TruffleHog was originally a useful tool. It detects sensitive data such as API keys so that developers can close unintentional leaks. But attackers use it in a targeted way. They search for secrets in code repositories and use them for further attacks.<\/p>\n\n\n\n<p>GitHub Actions opens further doors for them. As soon as systems are compromised, attackers set up automated workflows. These workflows can inject malicious code or divert further access data - often unnoticed. GitHub is a hub for attacks if security settings are missing. Developers should therefore only use secrets in a very targeted manner and check their GitHub workflows on an ongoing basis.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Important protective measures<\/h2>\n\n\n\n<p>The first line of defense is proactive action. Tools like <strong>External Attack Surface Management (EASM)<\/strong> provide a constant overview of publicly accessible systems. They detect vulnerabilities early and report anomalies.<\/p>\n\n\n\n<p>Also <strong>Vendor Risk Management (VRM)<\/strong> is indispensable. Anyone who integrates third-party code must know the reliability of these partners. Every integration needs a security check. This is the only way to identify hidden risks.<\/p>\n\n\n\n<p>Developers should also <strong>Data access rotation<\/strong> set. If access is compromised, passwords and keys must be replaced immediately. Regular audits help to identify suspicious activities in good time. Training for all team members strengthens the common will to defend. After all, a single click can jeopardize the entire project.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>The attack on the npm packages shows how vulnerable modern supply chains are. Anyone who relies on external resources must be particularly vigilant. Regular audits, good protection of build environments and tools such as EASM and VRM are key components. This keeps sensitive data protected and projects secure. Ultimately, it is up to the developers to remain vigilant and react quickly in an emergency.<\/p>\n\n\n\n<p>&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-lr-contact-post-module\">\n\t<div id=\"lr-contact-form\" class=\"wp-block-lr-contact-post-module\">\n\t\t<div id=\"formular\" class=\"content\">\n\t\t\t<div class=\"inner-content\">\n\t\t\t\t<div class=\"column-2 feature-mode\">\n\t\t\t\t\t<h2>Request your personal Live-Demo now<\/h2>\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t<div>\n\t\t\t\t\t\t\t\t<p class=\"margin-b-36\">Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.<\/p>\n\t\t\t\t\t\t\t<\/div>\t\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div> \n\t\t\t\t<div class=\"column-2\">\n\t\t\t\t\t<form action=\"\" class=\"form\" method=\"post\" role=\"form\" novalidate data-trp-original-action=\"\">\n\t\t\t\t\t\t<input type=\"text\" id=\"successmessage\" name=\"successmessage\" value=\"\" hidden>\n\t\t\t\t\t\t<input type=\"text\" id=\"errormessage\" name=\"errormessage\" value=\"\" hidden>\n\t\t\t\t\t\t<input type=\"text\" id=\"slug\" name=\"slug\" value=\"supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\" hidden>\n\n\t\t\t\t\t\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\tid=\"name\"\n\t\t\t\t\t\t\t\tname=\"name\"\n\t\t\t\t\t\t\t\tplaceholder=\"first name\"\n\t\t\t\t\t\t\t\trequired\tmaxlength=\"50\"\/>\n\n\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\tid=\"surname\"\n\t\t\t\t\t\t\t\tname=\"surname\"\n\t\t\t\t\t\t\t\tplaceholder=\"last name\"\n\t\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\t\t\t\t\t\t\n\t\t\t\t\t\t<input\n\t\t\t\t\t\t\ttype=\"email\"\n\t\t\t\t\t\t\tid=\"email\"\n\t\t\t\t\t\t\tname=\"email\"\n\t\t\t\t\t\t\tplaceholder=\"Email\"\n\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\n\t\t\t\t\t\t<input\n\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\tid=\"phone\"\n\t\t\t\t\t\t\tname=\"phone\"\n\t\t\t\t\t\t\tplaceholder=\"phone\"\n\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t<h6 class=\"error-message\" hidden>...<\/h6>\n\t\t\t\t\t\t<div class=\"checkbox_container\">\n\t\t\t\t\t\t\t<div class=\"checkbox\">\n\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\t\ttype=\"checkbox\"\n\t\t\t\t\t\t\t\t\tid=\"checkbox\"\n\t\t\t\t\t\t\t\t\tname=\"checkbox\" \/>\n\n\t\t\t\t\t\t\t\t<label for=\"checkbox\"><\/label>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<p>I agree to the <a href=\"https:\/\/locaterisk.com\/en\/datenschutz\/\" target=\"_blank\" rel=\"noreferrer noopener\">privacy policy.<\/a> read<\/p> \n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\n\t\t\t\t\t<div class=\"g-recaptcha\" data-sitekey=\"6LdErNoZAAAAAD1Re2jNxtDFfcDaL9iED5MRBzjR\" data-callback=\"verifyRecaptchaCallback\" data-expired-callback=\"expiredRecaptchaCallback\"><\/div>\n\t\t\t\t\t<input type=\"hidden\" name=\"g-recaptcha-response\" data-recaptcha \/>\n\n\t\t\t\t\t\t<button class=\"lr-button-link\" type=\"submit\">Schedule a Live Demo<\/button>\n\t\t\t\t\t<input type=\"hidden\" name=\"trp-form-language\" value=\"en\"\/><\/form>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\t\n\t<\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<div class=\"wp-block-lr-contact-module\"><div class=\"content\"><h2>Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!<\/h2><div class=\"contact-info-row\"><div class=\"contact-person-info\"><div class=\"avatar\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2025\/06\/Lukas_Baumann_LocateRisk-300.png\"><\/div><p><span class=\"text before\">Your personal consultant<\/span><span class=\"bold name\"><strong>Lukas<\/strong><\/span> <span class=\"lastname\"><strong>Baumann<strong><\/strong><\/strong><\/span><strong><strong><span class=\"separator\"><\/span><span class=\"role\">CEO<\/span><\/strong><\/strong><\/p><\/div><p class=\"bold phone\"><strong><strong>+49 6151 6290246<\/strong><\/strong><\/p><strong><strong><a class=\"pr-1\" href=\"mailto: sales@locaterisk.com\">Get in Touch Now<\/a><\/strong><\/strong><\/div><\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-lr-footer-module lr-footer-block\"><div class=\"content\"><div class=\"column0\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/assets\/img\/lr-logo.svg\"\/><\/div><div class=\"categories\"><div class=\"categories-element\"><a class=\"pr-4\" href=\"https:\/\/locaterisk.com\/en\/\">Home<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/blog\/\">Blog<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/about\/\">About Us<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/kontakt\/\">Contact<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/impressum\/\">Legal Notice<\/a><\/div><div class=\"categories-break\"><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/datenschutz\/\">Privacy<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/files\/gtc.pdf\">General Terms and Conditions<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/jobs\/\">Jobs<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/files\/sec-information.pdf\">Security<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"https:\/\/app.secfix.com\/trust\/locaterisk\/d1e7d433b33643aea1880bfbfeab9f60\">Trust Center<\/a><\/div><\/div><div class=\"social\"><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/locaterisk\/\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/10\/gruppe-230@3x.png\"\/><\/a><\/div><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/locaterisk\/\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Instagram.png\"\/><\/a><\/div><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/locaterisk\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/twitter.png\"\/><\/a><\/div><\/div><div class=\"description\"><h6>\u00a9 LocateRisk 2026<\/h6><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>Das verwundbare npm-\u00d6kosystem npm ist das Herz der JavaScript-Welt. Hier tauschen Entwickler Pakete aus und bauen effiziente Anwendungen. Doch genau diese Offenheit nutzen Kriminelle. \u00dcber 40 Pakete wurden kompromittiert. Das Ziel der Angreifer: Datenklau und Manipulation von Build-Prozessen. Besonders fatal ist die Reichweite. Ein einziger b\u00f6sartiger Paket-Upload kann weit verstreute Projekte treffen und die Software-Qualit\u00e4t [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":5460,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6520","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blogpost"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Supply-Chain-Angriff auf npm-Pakete: Was Entwickler wissen m\u00fcssen - LocateRisk<\/title>\n<meta name=\"description\" content=\"Supply-Chain-Angriffe auf npm-Pakete machen sensible Daten angreifbar. Erfahren Sie, wie solche Angriffe funktionieren und welche Schutzma\u00dfnahmen Entwickler ergreifen sollten.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/locaterisk.com\/en\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Supply-Chain-Angriff auf npm-Pakete: Was Entwickler wissen m\u00fcssen - LocateRisk\" \/>\n<meta property=\"og:description\" content=\"Supply-Chain-Angriffe auf npm-Pakete machen sensible Daten angreifbar. Erfahren Sie, wie solche Angriffe funktionieren und welche Schutzma\u00dfnahmen Entwickler ergreifen sollten.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/locaterisk.com\/en\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/\" \/>\n<meta property=\"og:site_name\" content=\"LocateRisk\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-16T11:58:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-12T14:45:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2024\/07\/Kettenglieder_Generisch_03-1-Kopie.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Lukas Baumann\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Lukas Baumann\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\\\/\"},\"author\":{\"name\":\"Lukas Baumann\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/person\\\/be285cd2771072ea30354332ce8b19cf\"},\"headline\":\"Supply-Chain-Angriff auf npm-Pakete: Was Entwickler wissen m\u00fcssen\",\"datePublished\":\"2025-09-16T11:58:08+00:00\",\"dateModified\":\"2026-02-12T14:45:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\\\/\"},\"wordCount\":400,\"publisher\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Kettenglieder_Generisch_03-1-Kopie.jpg\",\"articleSection\":[\"Blog post\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\\\/\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\\\/\",\"name\":\"Supply-Chain-Angriff auf npm-Pakete: Was Entwickler wissen m\u00fcssen - LocateRisk\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Kettenglieder_Generisch_03-1-Kopie.jpg\",\"datePublished\":\"2025-09-16T11:58:08+00:00\",\"dateModified\":\"2026-02-12T14:45:14+00:00\",\"description\":\"Supply-Chain-Angriffe auf npm-Pakete machen sensible Daten angreifbar. Erfahren Sie, wie solche Angriffe funktionieren und welche Schutzma\u00dfnahmen Entwickler ergreifen sollten.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/locaterisk.com\\\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\\\/#primaryimage\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Kettenglieder_Generisch_03-1-Kopie.jpg\",\"contentUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Kettenglieder_Generisch_03-1-Kopie.jpg\",\"width\":800,\"height\":800},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/locaterisk.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Supply-Chain-Angriff auf npm-Pakete: Was Entwickler wissen m\u00fcssen\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/\",\"name\":\"LocateRisk\",\"description\":\"IT-Sicherheit messen und vergleichen\",\"publisher\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\",\"name\":\"LocateRisk\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/Kettenglieder_V0216-9.jpg\",\"contentUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/Kettenglieder_V0216-9.jpg\",\"width\":1920,\"height\":1080,\"caption\":\"LocateRisk\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/locaterisk\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/person\\\/be285cd2771072ea30354332ce8b19cf\",\"name\":\"Lukas Baumann\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c10e053effbd842a0cb8e0fdb227381472ec76a6419d29b4eaa27b5bbb937098?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c10e053effbd842a0cb8e0fdb227381472ec76a6419d29b4eaa27b5bbb937098?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c10e053effbd842a0cb8e0fdb227381472ec76a6419d29b4eaa27b5bbb937098?s=96&d=mm&r=g\",\"caption\":\"Lukas Baumann\"},\"sameAs\":[\"http:\\\/\\\/www.locaterisk.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Supply chain attack on npm packages: What developers need to know - LocateRisk","description":"Supply chain attacks on npm packages make sensitive data vulnerable. Find out how such attacks work and what protective measures developers should take.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/locaterisk.com\/en\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/","og_locale":"en_US","og_type":"article","og_title":"Supply-Chain-Angriff auf npm-Pakete: Was Entwickler wissen m\u00fcssen - LocateRisk","og_description":"Supply-Chain-Angriffe auf npm-Pakete machen sensible Daten angreifbar. Erfahren Sie, wie solche Angriffe funktionieren und welche Schutzma\u00dfnahmen Entwickler ergreifen sollten.","og_url":"https:\/\/locaterisk.com\/en\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/","og_site_name":"LocateRisk","article_published_time":"2025-09-16T11:58:08+00:00","article_modified_time":"2026-02-12T14:45:14+00:00","og_image":[{"width":800,"height":800,"url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2024\/07\/Kettenglieder_Generisch_03-1-Kopie.jpg","type":"image\/jpeg"}],"author":"Lukas Baumann","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Lukas Baumann","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/locaterisk.com\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/#article","isPartOf":{"@id":"https:\/\/locaterisk.com\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/"},"author":{"name":"Lukas Baumann","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/person\/be285cd2771072ea30354332ce8b19cf"},"headline":"Supply-Chain-Angriff auf npm-Pakete: Was Entwickler wissen m\u00fcssen","datePublished":"2025-09-16T11:58:08+00:00","dateModified":"2026-02-12T14:45:14+00:00","mainEntityOfPage":{"@id":"https:\/\/locaterisk.com\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/"},"wordCount":400,"publisher":{"@id":"https:\/\/locaterisk.com\/de\/#organization"},"image":{"@id":"https:\/\/locaterisk.com\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/#primaryimage"},"thumbnailUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2024\/07\/Kettenglieder_Generisch_03-1-Kopie.jpg","articleSection":["Blog post"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/locaterisk.com\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/","url":"https:\/\/locaterisk.com\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/","name":"Supply chain attack on npm packages: What developers need to know - LocateRisk","isPartOf":{"@id":"https:\/\/locaterisk.com\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/locaterisk.com\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/#primaryimage"},"image":{"@id":"https:\/\/locaterisk.com\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/#primaryimage"},"thumbnailUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2024\/07\/Kettenglieder_Generisch_03-1-Kopie.jpg","datePublished":"2025-09-16T11:58:08+00:00","dateModified":"2026-02-12T14:45:14+00:00","description":"Supply chain attacks on npm packages make sensitive data vulnerable. Find out how such attacks work and what protective measures developers should take.","breadcrumb":{"@id":"https:\/\/locaterisk.com\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/locaterisk.com\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/locaterisk.com\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/#primaryimage","url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2024\/07\/Kettenglieder_Generisch_03-1-Kopie.jpg","contentUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2024\/07\/Kettenglieder_Generisch_03-1-Kopie.jpg","width":800,"height":800},{"@type":"BreadcrumbList","@id":"https:\/\/locaterisk.com\/supply-chain-angriff-auf-npm-pakete-was-entwickler-wissen-muessen\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/locaterisk.com\/"},{"@type":"ListItem","position":2,"name":"Supply-Chain-Angriff auf npm-Pakete: Was Entwickler wissen m\u00fcssen"}]},{"@type":"WebSite","@id":"https:\/\/locaterisk.com\/de\/#website","url":"https:\/\/locaterisk.com\/de\/","name":"LocateRisk","description":"Measure and compare IT security","publisher":{"@id":"https:\/\/locaterisk.com\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/locaterisk.com\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/locaterisk.com\/de\/#organization","name":"LocateRisk","url":"https:\/\/locaterisk.com\/de\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/logo\/image\/","url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Kettenglieder_V0216-9.jpg","contentUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Kettenglieder_V0216-9.jpg","width":1920,"height":1080,"caption":"LocateRisk"},"image":{"@id":"https:\/\/locaterisk.com\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/locaterisk\/"]},{"@type":"Person","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/person\/be285cd2771072ea30354332ce8b19cf","name":"Lukas Baumann","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/c10e053effbd842a0cb8e0fdb227381472ec76a6419d29b4eaa27b5bbb937098?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/c10e053effbd842a0cb8e0fdb227381472ec76a6419d29b4eaa27b5bbb937098?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c10e053effbd842a0cb8e0fdb227381472ec76a6419d29b4eaa27b5bbb937098?s=96&d=mm&r=g","caption":"Lukas Baumann"},"sameAs":["http:\/\/www.locaterisk.com"]}]}},"_links":{"self":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/6520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/comments?post=6520"}],"version-history":[{"count":8,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/6520\/revisions"}],"predecessor-version":[{"id":7579,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/6520\/revisions\/7579"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/media\/5460"}],"wp:attachment":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/media?parent=6520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/categories?post=6520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/tags?post=6520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}