Community-Driven Security: npm Supply Chain Protection Added

Community Research Led to Stronger Protection

Following yesterday’s axios supply chain attack announcement, we’ve implemented an additional protective layer based on security community recommendations.

After publishing our axios safety verification yesterday, our team researched additional defenses recommended by the security community on Twitter/X, including experts from Socket.dev (@feross), npm security researchers, and the broader open-source community.

Result: We’ve implemented time-delay protection in our .npmrc configuration that would have automatically blocked the axios attack.

What We Added

`.npmrc` Supply Chain Protection

# Supply chain attack protection (added April 1, 2026)
min-release-age=7
ignore-scripts=true

These two settings create a critical defensive layer:

1. `min-release-age=7` - Week-Old Package Rule

What it does: Blocks npm from installing packages newer than 7 days old.

Why it matters: Most supply chain attacks are discovered and removed within 48-72 hours. By waiting 7 days before adopting new package versions, we avoid the critical window when compromised packages are live on npm.

Real-world impact:

axios 1.14.0 (compromised March 27) → Would be blocked until April 3
axios 1.14.1 (compromised March 31) → Would be blocked until April 7
separadordeinfocc 1.0.0 (LofyGang attack, April 1) → Would be blocked until April 8

The axios attack would have been automatically prevented.

2. `ignore-scripts=true` - No Install Scripts

What it does: Prevents npm packages from running install/postinstall scripts during npm install.

Why it matters: The axios supply chain attack used postinstall scripts to:

Steal .env files with API keys and secrets
Exfiltrate credentials to remote servers (sfrclak.com, callnrwise.com)
Connect to WebSocket C2 channels for remote control

Real-world impact: Even if a compromised package made it past the 7-day delay, ignore-scripts=true would have prevented the credential theft and data exfiltration.

Defense in Depth

This .npmrc protection complements our existing security layers:

Layer 1: Socket.dev Integration (March 31)

Automated supply chain vulnerability scanning
GitHub Actions security audit daily at 9 AM UTC
Real-time alerts for typosquatting and malicious packages
CLI tool integration for local development

Layer 2: .npmrc Time-Delay Protection (April 1) ← NEW

min-release-age=7: Automatic 7-day waiting period for new packages
ignore-scripts=true: Block install scripts from all packages
Zero-configuration protection (works automatically)

Layer 3: Package Lock Discipline

Conservative update schedule (not chasing “latest”)
Manual review of dependency changes
Version pinning for critical dependencies

Layer 4: GitHub Advanced Security

Dependabot vulnerability alerts
Secret scanning for API keys/tokens
Code scanning for security issues
2FA enforcement for all maintainers

Why This Matters for Our Community

You Don’t Need to Be a Security Expert

These protections work automatically in the background:

No configuration required from users
No action needed during attacks
Transparent protection that doesn’t slow development

Lessons from Real Attacks

March 27-31, 2026 - axios Compromise:

3 malicious versions published over 4 days
Maintainer account takeover (jasonsaayman)
Credential theft via postinstall scripts
C2 infrastructure (142.11.206.73, 18.231.131.246)
Result with our protection: Would have been auto-blocked

April 1, 2026 - LofyGang Attack (separadordeinfocc):

Published same day as our .npmrc hardening
WebSocket C2 channel (ws://18.231.131.246:80)
Result with our protection: Would have been auto-blocked

Community-Powered Security

This protection was discovered through:

Twitter/X security community discussions
Socket.dev team recommendations (@feross)
npm security researcher insights (@yuvadam)
Open-source security best practices

When the community shares knowledge, everyone wins.

Why Your Data Is Safe: Local-First Architecture

Beyond protecting our build process, we’ve designed 3mpwrApp so your personal data is safe even in worst-case scenarios.

Your Data Stays on YOUR Device 🔒

Default behavior: Everything is local-first

Device Storage by Default:
- All user data starts on YOUR device (phone, tablet, computer)
- Uses AsyncStorage (mobile) or localStorage (web)
- AES-256 encryption for sensitive data
- Auth tokens stored in platform-native Keychain (iOS) / KeyStore (Android)
What’s Stored Locally:
- Your cases and evidence
- Wellness data (mood, energy, symptoms)
- Documents and uploaded files
- Personal notes and reminders
- Community chat messages (cached)
- All settings and preferences
Zero Cloud Requirement:
- Guest mode: 100% local, no cloud sync
- Works offline with full functionality
- No data leaves your device unless you choose

BYOC: Bring Your Own Cloud ☁️

You control where your data lives and who can access it.

Three Data Storage Modes:

Mode	Where Data Lives	Who Controls It	Best For
Guest Mode	Your device only	You (100%)	Maximum privacy, no cross-device sync
Default Mode	Your device + optional Firebase sync	Shared (encrypted)	Convenience, multi-device access
BYOC Mode	Your device + YOUR cloud storage	You (100%)	Data sovereignty + cloud backup

How BYOC Works:

Step 1: You Connect Your Cloud

Settings → Privacy → BYOC (Bring Your Own Cloud)
→ Choose: Google Drive, Dropbox, OneDrive, iCloud
→ Authenticate with YOUR account (not ours)

Step 2: Encrypted Backups to YOUR Cloud

App creates encrypted backup files
Syncs to YOUR Google Drive / Dropbox / etc.
Uses YOUR authentication tokens
3mpwrApp never sees your cloud credentials

Step 3: You Hold the Encryption Keys

Keys stored on YOUR device
We can’t decrypt your backups (only you can)
Delete the app? Your data stays in YOUR cloud
Reinstall? Restore from YOUR cloud

BYOC Protection Against Supply Chain Attacks:

Even if a compromised package made it into our app:

✅ Your data is encrypted - Attacker can’t read it without your device’s encryption key
✅ Keys never leave your device - ignore-scripts=true blocks malicious install scripts from stealing keys
✅ Your cloud, your control - BYOC mode means attacker can’t access YOUR Google Drive / Dropbox
✅ No central database to breach - Data is distributed across thousands of user-controlled cloud accounts
✅ Authentication isolated - Your cloud storage uses YOUR authentication, not app credentials

This is why local-first + BYOC matters:

In the axios attack, compromised packages stole .env files and credentials from developer machines. But user data stored on user devices with user-controlled encryption? Untouchable.

Real-World Example: axios Attack Containment

March 27-31, 2026 - What axios compromise COULD have done:

❌ Steal developer secrets (API keys, Firebase credentials) - BLOCKED by .npmrc
❌ Exfiltrate user database from centralized server - NO CENTRALIZED DATABASE
❌ Decrypt user data from cloud backups - KEYS ON USER DEVICES
❌ Access user’s Google Drive / Dropbox - USER CONTROLS AUTH

What actually happened:

✅ We detected the compromise before any npm operations
✅ User data remained local and encrypted on their devices
✅ BYOC users’ data stayed in their personal cloud accounts
✅ Zero user data exposure

Data Sovereignty = Security

Your data architecture protects you three ways:

Local-First: Data doesn’t transit through our servers by default
User-Controlled Cloud: BYOC puts you in charge of backups
Encryption: AES-256 means compromised app can’t read your data

Combined with .npmrc protection:

Supply chain attacks blocked before they reach production
Even if one got through, user data architecture limits damage
Multiple independent layers (defense in depth)

This is industry-leading privacy for disability rights / injury support apps.

Technical Details

How min-release-age Works

# Before (vulnerable):
$ npm install axios@latest
# ❌ Installs axios 1.14.1 (compromised, 1 day old)

# After (protected):
$ npm install axios@latest
# ✅ npm ERR! Package axios@1.14.1 is too new (1 day < 7 days)
# ✅ Falls back to axios 1.13.6 (safe, 42 days old)

How ignore-scripts Works

# Before (vulnerable):
$ npm install malicious-package
# ❌ Runs postinstall script
# ❌ Steals .env file
# ❌ Sends credentials to attacker

# After (protected):
$ npm install malicious-package
# ✅ Package installed
# ✅ NO scripts executed
# ✅ Credentials safe

When You Need Install Scripts

Some legitimate packages require install scripts (native bindings, binary downloads). For those specific cases:

# Temporarily allow scripts for trusted package:
$ npm install --ignore-scripts=false trusted-package

# Or in package.json for production:
{
  "scripts": {
    "postinstall": "npm rebuild specific-native-package"
  }
}

Default-deny security: Scripts blocked by default, explicitly allowed only when needed.

What This Means for 3mpwrApp

Current Status (as of April 1, 2026):

✅ axios verified safe (1.13.6, installed March 25)
✅ Socket.dev protection active (March 31)
✅ Time-delay protection active (April 1)
✅ Install script blocking active (April 1)
✅ No compromised packages detected
❌ npm operations still paused until axios all-clear (est. April 5-7)

Next Steps:

Monitor axios resolution (daily checks)
Resume npm operations after official all-clear
Install Socket.dev CLI when safe
Activate sfw tool (from @feross/Socket.dev)
Re-enable Dependabot alerts
Document lessons learned

For Other Developers

Implementing This Protection

1. Add to your .npmrc (project or global):

# Supply chain attack protection
min-release-age=7
ignore-scripts=true

2. Commit to your repository:

git add .npmrc
git commit -m "chore: Add supply chain attack protection"

3. Test with a recent package:

# Test min-release-age (should fail for packages <7 days old)
npm install some-brand-new-package

# Test ignore-scripts (should install but skip scripts)
npm install --dry-run

That’s it. No complex configuration, no ongoing maintenance.

Compatibility Notes

Compatible with: All npm versions 7.0.0+ (2020)
No breaking changes: Existing packages still work
Selective override: Use --ignore-scripts=false when needed
Team adoption: Works in package-lock.json for consistent behavior

Community Feedback Welcome

This protection was implemented based on community research and recommendations. We’d love to hear from you:

Have questions? Contact us via feedback form
Found this helpful? Share with other developers
Have additional recommendations? We’re always learning

Security is a team sport. By sharing knowledge and implementing best practices, we all build stronger, safer software.

3mpwrApp Safe from axios Supply Chain Attack - Initial announcement (March 31)
Comprehensive axios Attack Analysis - Full technical details (March 31)
Security Runbook: How We Protect You - Emergency procedures (March 31)
Security Architecture - 8-layer defense system

Timeline

March 27, 2026 19:01 UTC: axios 1.14.0 published (compromised)
March 31, 2026 00:21 UTC: axios 1.14.1 published (compromised)
March 31, 2026 01:00 UTC: axios 0.30.4 published (compromised)
March 31, 2026: 3mpwrApp publishes safety verification + Socket.dev integration
April 1, 2026: Community research leads to .npmrc protection implementation
April 1, 2026: LofyGang attack (separadordeinfocc) validates protection decision

The Bigger Picture: Data Sovereignty + Supply Chain Security

This incident reinforced a fundamental principle: Your data security shouldn’t depend solely on developer tools.

Two-Layer Protection Philosophy:

Layer 1: Prevent Compromises (Supply Chain Security)

.npmrc protection blocks malicious packages
Socket.dev monitors for threats
GitHub Advanced Security scans code
Goal: Stop attacks before they reach production

Layer 2: Limit Damage if Prevention Fails (Data Architecture)

Local-first storage (data on user devices)
BYOC mode (user-controlled cloud)
AES-256 encryption (keys on user devices)
Goal: Even if app compromised, user data stays safe

Why both matter:

In the axios attack, thousands of developers’ development credentials were stolen because they relied only on Layer 1 thinking. When that failed, they had no Layer 2.

3mpwrApp’s approach: Assume Layer 1 will eventually fail. Design Layer 2 so user data is protected regardless.

For Injured Workers & Persons with Disabilities

Your sensitive data is uniquely valuable and vulnerable:

Medical records and disability documentation
WSIB/WCB case files and evidence
Legal correspondence and strategies
Mental health and wellness tracking
Financial and benefits information

Traditional cloud apps store all this in centralized databases. One breach = everyone’s data exposed.

3mpwrApp’s architecture:

Your data stays on YOUR device
Encrypted with keys only YOU hold
Optional BYOC puts YOU in control of cloud storage
No central database to breach

This is data sovereignty for the disability rights movement.

A Message to Our Community

We’re not just building an app. We’re building a trust relationship.

When you document workplace injuries, track WSIB discrimination, or store evidence of systemic ableism - that’s not just “user data.” That’s your lived experience, your fight for justice, your path to healing.

We designed our security architecture around one question: “What if we get breached tomorrow?”

Would your WSIB case evidence be safe? Yes (local-first + BYOC)
Could attackers read your medical records? No (encrypted, keys on your device)
Would your legal strategy be exposed? No (no central database)
Could they access your wellness tracking? No (local storage)

Supply chain protection (.npmrc) reduces risk. Data sovereignty (BYOC) limits damage.

Together, they create resilient security worthy of your trust.

Status: All 3mpwrApp users and data remain completely safe. No action required from beta testers.

Questions? Email security@3mpwrapp.org or use our secure contact form.