Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
colors.js and faker.js: When Maintainer Burnout Becomes a Supply Chain Crisis
Marak Squires deliberately broke two of npm's most popular packages to protest the exploitation of open source maintainers. The fallout exposed how fragile our dependency chains really are.
The ua-parser-js npm Hijack of October 2021
An npm package with 8 million weekly downloads shipped a cryptominer and credential stealer for four hours. Here is the exact sequence of events.
Python PyPI Malware Campaigns in 2021
Malicious packages on PyPI surged in 2021, targeting developers with credential stealers, backdoors, and data exfiltration. Here's what the campaigns look like and how to defend against them.
npm colors and faker Sabotage: When Maintainers Revolt
The maintainer of colors and faker deliberately corrupted his own packages, affecting thousands of projects. It raised uncomfortable questions about open source sustainability and trust.
Open Source Security: State of the Union 2021
Open source powers the modern internet, but its security model is under strain. Here's the 2021 landscape of open source risk, from funding to maintainer burnout to malicious packages.
npm Package ua-parser-js Compromised: 8 Million Weekly Downloads Weaponized
Attackers hijacked the ua-parser-js npm package account and published malicious versions containing cryptominers and password stealers. The package gets 8 million downloads per week.
Rust Foundation Formation: Security Implications
The Rust Foundation launched February 8, 2021. Here is what its formation actually changed for the security of Rust and downstream ecosystems.
event-stream: The Copay Attack That Rewrote npm
The 2018 event-stream incident was npm's first high-profile maintainer-handoff attack. The details still shape how we evaluate package trust.