npm Supply Chain Security: Mistakes I Made Publishing My First Packages

I published four npm packages from a pnpm monorepo in March. Node 22, TypeScript, ~4k lines across the four packages, eleven direct dependencies total. First time publishing anything to npm. Within two weeks I'd almost shipped a .env.example, missed a provenance setting that fails with zero output, and found out that 2FA on npm is basically theater once you start using automation tokens. postinstall Before my first publish I went through every dependency's package.json looking for lifecycle scripts. Took about an hour. The reason: ua-parser-js in 2021, colors + faker in 2022, @ledgerhq/connect-kit in 2023. All compromised through npm. All exploited postinstall. The attack is dead simple: { "scripts": { "postinstall": "node ./setup.js" } } Runs on npm install. No prompt, no sandbox. Full user permissions. Read env vars, POST them somewhere, done. pnpm doesn't run lifecycle scripts from deps by default. npm and yarn do. That alone is a reason to use pnpm, honestly. To see which deps decl