malware-detection
Safeguard articles tagged "malware-detection" — guides, analysis, and best practices for software supply chain and application security.
31 articles
The eslint-config-prettier npm compromise: when phishing beats your SCA scanner
A phishing email spoofing npm support hijacked a maintainer's account and poisoned eslint-config-prettier, a package with roughly 30 million weekly downloads.
When the Scanner Is the Backdoor: The LiteLLM Trivy Attack
On March 19, 2026, TeamPCP hijacked Trivy's GitHub Action to steal LiteLLM's PyPI token, then shipped a backdoored release, CVE-2026-33634, CVSS 9.4.
The postmark-mcp Backdoor: What MCP Server Vetting Should Look Like
A trojanized MCP server BCC'd every email it sent to an attacker for weeks, downloaded 1,643 times, before anyone noticed. Here's the pattern and the fix.
Protestware: what colors.js and faker.js taught the industry about maintainer risk
One unpaid maintainer sabotaged two packages with 20M+ weekly downloads in a single week. Here's what colors.js and faker.js reveal about single-maintainer risk.
Postmortem: The Bun-Based Stealer Inside SAP's @cap-js and mbt Packages
Four SAP npm packages shipped a Bun-executed credential stealer on April 29, 2026 — a look at how it evaded Node-centric detection and what actually stops it.
Anatomy of a malicious npm package attack
One phished maintainer, 18 packages, and billions of weekly downloads — how npm/PyPI supply chain attacks actually unfold, and the signals that expose them.
Top open-source vulnerabilities in the npm ecosystem
Sonatype logged 512,000+ malicious npm packages in a year — a 156% jump. Here are the recurring vulnerability classes and how to catch them in CI.
The faker.js and colors.js Sabotage: What Maintainer-Driven Risk Teaches About Pinning
In January 2022 a trusted maintainer bricked two npm packages with a combined 26M+ weekly downloads — from his own account, with valid credentials.
Dependency confusion on npm: how public-registry precedence became a delivery channel for post-exploitation frameworks
In May 2022, Snyk found 200+ malicious npm packages, including one that polled for commands until it dropped a Cobalt Strike trojan, and another that delayed 30 minutes to dodge sandboxes.
The anatomy of a PyPI credential stealer
In a single 24-hour window in 2022, one actor shipped 12 malicious PyPI packages bundling Windows stealers that harvested browser, Discord, and Roblox credentials.
Anatomy of a Malicious Go Package Typosquat
A Go typosquat backdoored since 2021 stayed live for over three years because Go's module proxy caches code immutably — even after the attacker cleaned the repo.
Detecting malicious postinstall scripts in npm packages
A 2025 phishing attack compromised 18 npm packages with 2.6 billion weekly downloads. Here's how postinstall scripts became npm's top attack vector.