npm Supply Chain Attacks: What Actually Happens Inside Your Registry

A proper look at how attackers get into your dependency tree, what they do once they are in, and why your lockfile alone is not going to save you.