Practical Package Security: The Unofficial Guide

This report reviews March 2026 supply-chain package compromises (e.g., TeamPCP/Trivy-action and Axios), describes how attackers push malicious package updates to exfiltrate secrets and cascade into downstream compromises, and provides practical mitigations — including cooldowns, lockfiles/hashes, disabling install-time scripts, registry pull-through proxies, curated registries, remote developer environments, zero-trust production, and honeytoken/canary detection — to reduce exposure and limit blast radius.