NPM Supply Chain: A Critical Threat to Cloud-Native

**Executive summary:** A software supply-chain attack compromised an npm maintainer via a phishing domain, enabling publication of tainted versions of 18 popular packages (collectively ~2.6 billion weekly downloads) that injected browser-based malware to hijack crypto/Web3 transactions; a security firm detected the malicious updates and the maintainer removed affected versions within hours, and the report advocates SBOMs, dynamic threat analysis, and runtime protections to mitigate such risks.