Learnings from recent npm supply chain compromises

This report details a series of large-scale npm supply-chain attacks (s1ngularity, a Qix/debug/chalk compromise, Shai-Hulud, and GhostActions) in which attackers exploited GitHub Actions (pull_request_target), phishing, and unrotated tokens to publish malicious package versions containing credential-harvesting and crypto-stealing code, exfiltrate thousands of secrets, and convert private repositories to public; it emphasizes the scale and impact of CI/CD and token-based weaknesses and recommends hardening GitHub Actions, rotating credentials, enabling MFA, using SCA/SAST tools, and deploying defensive tools like GuardDog and Supply-Chain Firewall.