From skills
Audits and hardens Node.js projects against npm supply chain attacks including compromised maintainers, malicious packages, and install-script payloads. Provides a 30-minute baseline and audit script.
How this skill is triggered — by the user, by Claude, or both
Slash command
/skills:npm-supply-chain-securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> Adapted from [NPM Security Best Practices for Supply Chain Attacks](https://www.localcan.com/blog/npm-security-best-practices-supply-chain-attacks) by Localcan.
Adapted from NPM Security Best Practices for Supply Chain Attacks by Localcan.
Defends against three concrete attack patterns: zero-day malicious publishes (a compromised maintainer pushes a backdoored version), install-script payloads (lifecycle scripts run arbitrary code on install), and resolution drift (npm install picks up a newer-than-locked version). Controls operate at three layers — resolution (versions entering the lockfile), installation (lifecycle scripts), and execution environment (what the build can reach).
npm-primary; pnpm and bun equivalents are noted inline. Full per-PM detail in REFERENCE.md.
Apply the 30-minute baseline:
Commit the lockfile (package-lock.json / pnpm-lock.yaml / bun.lock).
Add an install cooldown — min-release-age=1 in .npmrc (npm 11+), or minimumReleaseAge: 1 in pnpm-workspace.yaml (pnpm 10.16+). Bun has no native equivalent — this is a real gap, since bun install re-resolves locally and bypasses any PR-layer cooldown. Configure Dependabot or Renovate cooldown as a partial mitigation for the update-PR path.
In CI/Dockerfile, install with frozen lockfile and --ignore-scripts:
npm ci --ignore-scriptspnpm install --frozen-lockfile --ignore-scriptsbun install --frozen-lockfile --ignore-scriptsAllow-list required native modules with a follow-up npm rebuild <pkg> (e.g. sharp, better-sqlite3).
Digest-pin base images: FROM node:24-alpine@sha256:..., not FROM node:24-alpine.
Add an audit step to CI: npm audit --audit-level=high (or pnpm audit / bun audit).
Put package.json, the lockfile, .npmrc, and Dockerfile under CODEOWNERS with required review.
Run the audit script (lives at scripts/audit.sh in this skill directory) from the target project's root:
bash <path-to-this-skill>/scripts/audit.sh
It detects the package manager, checks each baseline item, and prints PASS/FAIL/WARN. Treat each FAIL as a TODO; WARN items need human judgment.
Walk the user through the 30-minute checklist in order. Two recurring gotchas:
--ignore-scripts belongs in CI commands, not project-level .npmrc. Local dev often needs install scripts to compile native modules.--ignore-scripts globally.If a malicious version may have been installed:
npm ci from there.npm ls <bad-pkg> shows every dependency path. For multi-repo orgs, search across all lockfiles.This skill covers the install side — protecting your project from compromised upstream packages. If the user is also publishing packages to npm, point them at the publishing-side controls (separate concern, not audited here):
npm publish --provenance) so consumers can verify the build origin.See REFERENCE.md for per-control rationale, per-PM syntax, and incident background.
npx claudepluginhub nbbaier/agent-skillsHardens pnpm/Node.js projects against supply chain attacks by configuring minimum-release-age quarantine and frozen lockfile enforcement.
Audits and hardens third-party dependencies with npm audit, lockfiles, Dependabot, script blocking, and vulnerability monitoring. Useful for CI security gating and supply chain hardening.
Triages npm supply chain attacks and compromised packages with interactive checklists, full incident runbooks, or detection shell scripts.