Tag
malicious-package
Safeguard articles tagged "malicious-package" — guides, analysis, and best practices for software supply chain and application security.
3 articles
Threat Research
Lessons from event-stream: How a Free Handoff Became a Bitcoin Heist
A volunteer handed control of a hugely popular npm package to a stranger, who used it to target one Bitcoin wallet app. The event-stream incident is the case study in maintainer-handoff risk.
Jul 6, 20265 min read
Software Supply Chain Security
RubyGems strong_password malicious version RCE
In 2019, attackers hijacked the strong_password RubyGems account and shipped a backdoored v0.0.7 that let them eval() code in production Rails apps.
Jul 2, 20267 min read
Open Source Security
The coa and rc npm Maintainer Account Hijack Incident
How the coa and rc npm hijack let attackers seize maintainer accounts on two packages with 20M+ weekly downloads to push Windows password-stealing malware.
Dec 1, 20256 min read