Four lines in ~/.npmrc block the most common npm supply chain attacks before they execute. Setup takes 30 seconds. This is the bare-minimum defense for anyone letting Claude Code or Cursor run npm install on their machine. These four lines are on my laptop right now. I added them the morning the axios news broke and forgot about them. Since then, every npm install Claude Code has run on my machine, across five side projects, has skipped lifecycle scripts by default. Zero breakage. Zero effort. # ~/.npmrc ignore-scripts = true save-exact = true audit-level = moderate fund = false Enter fullscreen mode Exit fullscreen mode In 2025, attackers published 454,648 malicious npm packages — roughly half a million in a single year ( Sonatype Open Source Malware Index, 2026 ). The four lines above block the most common payload mechanism (lifecycle scripts) for every project on your laptop, including whatever Claude Code ran at 2am last night. Why is your default npm setup unsafe in 2026?…