In September 2025, the world watched as ~20 popular npm packages—including chalk and debug—were poisoned in a supply-chain attack. Together, they had over 2 billion weekly downloads.

The attackers didn’t exploit cloud infrastructure. They didn’t slip past a runtime scanner. They went upstream—to a single developer.

By phishing one maintainer’s credentials, they published malicious versions carrying a multi-chain crypto drainer, silently swapping wallet addresses and exposing millions of applications worldwide.

This wasn’t a bug. It was a breach of trust at the source of innovation—the developer.

The Weakest Link Wasn’t the Cloud. It Was the Coder.

Security teams have built powerful defenses around cloud (CNAPP), code (ASPM), and runtime (XDR/SIEM). But all of these operate after code is written.

The npm breach shows what happens before that: if a developer identity is compromised, poisoned code enters the ecosystem upstream—before any scanner, deployment, or runtime defense ever has a chance.

That is the blind spot.

The Missing Layer: Developer Security Posture Management (DevSPM)

Archipelo created Developer Security Posture Management (DevSPM) to close this gap. DevSPM brings observability and control to the people and AI systems who create code—not just the artifacts they produce.

If DevSPM had been in place, the signals of compromise could have been observed, flagged and mitigated earlier:

• Identity anomaly detection → Unusual login source and 2FA use would have been flagged.
• Behavioral deviation alerts → Suspicious publishing activity outside the maintainer’s norms would have triggered response.
• Code-actor correlation → Injected malware tied back to the compromised identity in real time.

With this upstream visibility, security teams would have had the chance to intervene before the attack cascaded downstream into billions of downloads.

A Paradigm Shift in Securing Innovation

This incident wasn’t isolated. It’s the new normal.

• Developers are now the primary attack vector.
• AI copilots and autonomous agents expand the attack surface further.
• Supply-chain trust is fragile—one compromised account can ripple across the world.

DevSPM is how enterprises adapt.

• Pre-commit and post-commit observability of developer and AI actions.
• Continuous posture monitoring tied to developer and AI identity and context.
• A system of record that makes developers—human and AI—accountable, auditable, and secure.

CNAPP and ASPM remain critical. But without DevSPM upstream, they are blind to the first and most important layer: the coder (human and AI)

The Call to Security Leaders

The npm attack caused limited financial loss this time. Next time, it could be catastrophic.

Boards and CISOs must now expand their mental model. It is no longer enough to secure the code and the cloud. The enterprise must secure the coder—human and AI alike.

That’s what Archipelo DevSPM delivers: the missing layer of software security at the source of innovation.

Because if you don’t secure the coder, nothing downstream is safe.

→ Book a live demo and see how Archipelo helps teams align velocity, accountability, and security at the source.