Safeguard
Tag

malicious-packages

Safeguard articles tagged "malicious-packages" — guides, analysis, and best practices for software supply chain and application security.

44 articles

Supply Chain Security

npm supply-chain attacks: typosquatting, dependency confusion, and postinstall malware

event-stream hid a wallet-stealing payload behind 8M downloads in 2018. Here's how typosquatting and dependency confusion actually work, and how to stop them.

Jul 15, 20266 min read
Buyer's Guides

Socket.dev Alternatives in 2026: An Honest Buyer's Guide

A balanced comparison of the leading Socket.dev alternatives in 2026 — Snyk, Endor Labs, Mend, Aikido, Sonatype, and Safeguard — with candid pros, cons, and a framework for choosing.

Jul 8, 20266 min read
Open Source Security

The node-ipc protestware incident, four years later: a checklist for maintainer-inserted risk

In March 2022 a legitimate node-ipc maintainer shipped code that wiped files based on IP geolocation. CVE-2022-23812 still has no patch for the real problem.

Jul 8, 20266 min read
Supply Chain Attacks

How npm's default install behavior leaked macOS text-replacement secrets

npm auto-runs postinstall scripts with zero prompts on every install — a design choice Snyk showed in June 2023 can pull sensitive data out of macOS defaults.

Jul 8, 20266 min read
Software Supply Chain Security

npm typosquatting attacks

npm typosquatting turns a single mistyped `npm install` into a live compromise. Real incidents, attack patterns, and defenses that actually catch it.

Jul 6, 20267 min read
Software Supply Chain Security

event-stream npm package backdoor incident

How a routine maintainer handoff let attackers slip a Bitcoin-stealing backdoor into event-stream, hitting millions of npm installs for ten weeks.

Jul 5, 20267 min read
Software Supply Chain Security

Axios npm package RAT supply chain compromise

A compromised maintainer account pushed malicious axios releases carrying a cross-platform RAT to npm on March 31, 2026 — here's the full timeline and IOCs.

Jul 3, 20267 min read
Threat Research

What Is Protestware? When Maintainers Weaponize Their Own Packages

Protestware is open-source code a maintainer deliberately alters to make a political or personal statement, sometimes sabotaging users. Here is how it works and how to defend.

Jul 2, 20266 min read
Software Supply Chain Security

Understanding dependency confusion via npm package aliasing

npm's `npm:` alias syntax lets a trusted-looking dependency name resolve to attacker-controlled code — here's how that becomes dependency confusion, and how to detect it.

Jul 1, 20267 min read
Threat Research

What Is a Malicious Package? Supply-Chain Malware in Open Source

A malicious package is an open-source component built or altered to run attacker code on install or at runtime. Here is how they work, real npm and PyPI cases, and how to defend.

Jul 1, 20266 min read
Threat Intelligence

Sonatype Firewall: Malicious Package Protection

Sonatype's Repository Firewall blocks known malicious packages at the door, but timing gaps and single-source blind spots still let real threats through.

Jun 5, 20267 min read
Open Source Security

Malicious packages and malware campaigns: the new reality...

Malicious open source packages don't wait for a CVE. See how npm worms, xz utils, and typosquats evade legacy SCA — and what real detection requires.

May 21, 20267 min read
malicious-packages — Safeguard Blog