NPM attacks and the security of software supply chains

OPA is widely used, so you expect to see it work out—you want to see that work out. The reality is you can count on two hands the number of commercially successful open source businesses operating at scale. Even among those, all have had questions about their commercial viability at one point or another. Contrary to popular belief, there are no rules for what works in commercial open source. This stuff is hard.

History bears him out. There are successes—Red Hat (acquired by IBM), Elastic, MongoDB, Cloudera, MuleSoft, Confluent, Temporal, HashiCorp (also acquired by IBM)—but each navigated awkward trade-offs on licensing, cloud competition, or monetization models. There’s no single “do this and win” playbook.

Even where there’s funding, it doesn’t always land where the risk is. In 2022 I noted that OpenSSF’s multi-point plan was commendable, but generalized funding can’t paper over the reality that attack surfaces change faster than checklists. The most durable wins come from standards for provenance, routine signing, predictable response, and the plumbing that makes “secure by default” boring.

What works and what still doesn’t

Back to NPM. Why did this compromise “go out with a whimper”? Partly because the adversary deployed amateurish malware and got caught quickly. But there’s also evidence the ecosystem’s guardrails are better than they were a few years ago: