The Weekly Dev's Brew #29 ☕

Welcome to another riveting episode of The Weekly Dev's Brew. In today's episode: NPM packages gone rogue, your dependencies are probably compromised, and the supply chain attacks are getting way too real.

So grab your favorite mug and let's dive into this week's chaos, because apparently even the most trusted packages in the ecosystem can't be trusted anymore. What a time to be alive.

☕ The Main Roast: NPM's Trust Issues Are Getting Real

Alright, let's talk about the elephant in the room. Or should I say, the malware in your node_modules. Because on September 8th, some absolute genius attackers decided to compromise 18 of the most popular NPM packages with over 2 billion weekly downloads combined. Yeah, you read that right. Billion with a B.

We're talking about packages you've definitely used: chalk, debug, ansi-styles, color-convert, strip-ansi So basically the entire foundation of terminal styling that every dev tool on the planet depends on. These aren't some sketchy packages from random publishers. These are the dependencies that your dependencies depend on.

What Actually Happened

The attackers pushed new versions of these packages containing obfuscated malicious code that specifically targets crypto and web3 activity. The code sits there quietly, waiting for users to interact with crypto wallets, then silently intercepts transactions and redirects funds to attacker-controlled accounts. It's like having a pickpocket living in your computer, except they're stealing crypto instead of your wallet.

Here's the scary part: the malicious code only executes in browser environments and targets web3 interactions specifically. So if you're just running these packages server-side, you might not even notice anything wrong. But if any of your frontend dependencies pull these in (which they absolutely do), you've got a problem.

The Damage Report

Let's put this in perspective. The compromised packages include:

• chalk (299.99m downloads/week) - Because who doesn't love colored console output?

• debug (357.6m downloads/week) - The logging library that's everywhere

• ansi-styles (371.41m downloads/week) - Terminal styling made easy

• Plus 15 other packages you've definitely used

The fact that attackers targeted the npm supply chain this aggressively shows they're getting smarter. Why hack individual apps when you can compromise the dependencies that every app uses?

What You Need to Do Right Now

Stop what you're doing and check your lockfiles. Seriously. Here's your action plan:

1. Check your versions against the compromised list

2. Clear your npm cache: npm cache clean --force

3. Reinstall everything, delete node_modules, run fresh installs

4. Make sure you're using lockfiles and pinned versions (you should already be doing this)

5. Consider using a security tool checking for vulnerabilities

The silver lining? NPM acted pretty quickly to remove the malicious versions. But this is exactly why we can't just npm install our way through life without thinking about security.

This whole situation is a perfect reminder that our entire development ecosystem is built on trust, and sometimes that trust gets betrayed. The dependency tree goes so deep that most of us have no idea what's actually running in our applications.

☕ Quick Sips

Brief bits of goodness to fuel your development day

Incredible Vitest Defaults by Epic Web Dev

Artem Zakharchenko breaks down why Vitest's defaults are actually brilliant. From zero-config ESM support to intelligent test discovery, this deep dive explains why good defaults are the secret sauce that makes tools feel magical instead of frustrating.

Introducing the MCP Registry by MCP Blog

The Model Context Protocol now has a centralized registry for MCP servers. It's the starting point for discovering and sharing MCP implementations, with community-driven moderation to keep the spam and malicious stuff out.

Liquid Glass in the Browser by Kube.io

A hands-on exploration of recreating Apple's stunning Liquid Glass effect from WWDC 2025 using CSS, SVG displacement maps, and physics-based refraction calculations. The interactive demo works in Chrome only, but the technique breakdown is fascinating.

React Query FAQs by TkDodo

Common React Query questions answered in one comprehensive post. From why query functions aren't called to handling complex state scenarios, this is the reference guide you'll bookmark and return to repeatedly.

Stress Testing Biome's noFloatingPromises by Vercel

Vercel engineers held a creative competition to break Biome's lint rule for catching unhandled promises. The winning entry involved Proxy Promises and was wonderfully convoluted. Great example of how thorough testing improves open source tools.

Fresh 2.0 Graduates to Beta by Deno

Fresh 2.0 beta is here with Vite integration, bringing hot module reloading, 10x faster boot times, and access to the full Vite plugin ecosystem. The production optimizations alone make this worth checking out if you're in the Deno ecosystem.

☕ Coffee Fact of the Day

Finland consumes more coffee per capita than any other country in the world - about 26 pounds per person per year. That's roughly 4 cups a day for every man, woman, and child. Coincidentally, Finland also has some of the best software engineers on the planet. Connection? We think so.

That's a wrap on episode #29. Stay caffeinated, keep your dependencies updated, and remember “trust but verify”, especially when it comes to your node_modules.

Keep brewing!