malicious-packages
Safeguard articles tagged "malicious-packages" — guides, analysis, and best practices for software supply chain and application security.
44 articles
npm supply-chain attacks: typosquatting, dependency confusion, and postinstall malware
event-stream hid a wallet-stealing payload behind 8M downloads in 2018. Here's how typosquatting and dependency confusion actually work, and how to stop them.
Socket.dev Alternatives in 2026: An Honest Buyer's Guide
A balanced comparison of the leading Socket.dev alternatives in 2026 — Snyk, Endor Labs, Mend, Aikido, Sonatype, and Safeguard — with candid pros, cons, and a framework for choosing.
The node-ipc protestware incident, four years later: a checklist for maintainer-inserted risk
In March 2022 a legitimate node-ipc maintainer shipped code that wiped files based on IP geolocation. CVE-2022-23812 still has no patch for the real problem.
How npm's default install behavior leaked macOS text-replacement secrets
npm auto-runs postinstall scripts with zero prompts on every install — a design choice Snyk showed in June 2023 can pull sensitive data out of macOS defaults.
npm typosquatting attacks
npm typosquatting turns a single mistyped `npm install` into a live compromise. Real incidents, attack patterns, and defenses that actually catch it.
event-stream npm package backdoor incident
How a routine maintainer handoff let attackers slip a Bitcoin-stealing backdoor into event-stream, hitting millions of npm installs for ten weeks.
Axios npm package RAT supply chain compromise
A compromised maintainer account pushed malicious axios releases carrying a cross-platform RAT to npm on March 31, 2026 — here's the full timeline and IOCs.
What Is Protestware? When Maintainers Weaponize Their Own Packages
Protestware is open-source code a maintainer deliberately alters to make a political or personal statement, sometimes sabotaging users. Here is how it works and how to defend.
Understanding dependency confusion via npm package aliasing
npm's `npm:` alias syntax lets a trusted-looking dependency name resolve to attacker-controlled code — here's how that becomes dependency confusion, and how to detect it.
What Is a Malicious Package? Supply-Chain Malware in Open Source
A malicious package is an open-source component built or altered to run attacker code on install or at runtime. Here is how they work, real npm and PyPI cases, and how to defend.
Sonatype Firewall: Malicious Package Protection
Sonatype's Repository Firewall blocks known malicious packages at the door, but timing gaps and single-source blind spots still let real threats through.
Malicious packages and malware campaigns: the new reality...
Malicious open source packages don't wait for a CVE. See how npm worms, xz utils, and typosquats evade legacy SCA — and what real detection requires.