Safeguard
Tag

malware-detection

Safeguard articles tagged "malware-detection" — guides, analysis, and best practices for software supply chain and application security.

31 articles

Supply Chain Attacks

Anatomy of an npm maintainer account takeover

A single phishing email hit eslint-config-prettier's ~30M weekly downloads in July 2025 — no code compromise needed, just a stolen npm login.

Jul 9, 20266 min read
Supply Chain Attacks

The npm worm incident response playbook

Shai-Hulud compromised 500+ npm packages by auto-publishing itself with stolen tokens. Here's a concrete detection, rotation, and pinning playbook.

Jul 9, 20265 min read
Supply Chain Attacks

Inside the npm Reward-Farming Worm That Published 89,000+ Packages

One npm publishing bot exploited a crypto reward protocol to spam 89,000+ packages, some appearing every 7-10 seconds. Here's how it worked and how to spot it.

Jul 9, 20267 min read
Open Source Security

The 4 dimensions of open-source dependency risk

Open-source risk isn't one problem — CVEs, malware, license exposure, and abandonment each fail differently, and Sonatype logged 454,600+ malicious packages in 2025 alone.

Jul 9, 20267 min read
Supply Chain Attacks

Bun-compiled JS binaries as PyPI credential stealers

Two lightning releases fetched the Bun runtime at import time to run an 11MB obfuscated JS stealer — PyPI's Python trust model didn't expect a JS binary.

Jul 8, 20266 min read
Supply Chain Attacks

How Malicious Skills Get Distributed Through Agent Registries

CVE-2025-59536 (CVSS 8.7) let a single malicious commit auto-approve MCP servers in Claude Code, no install click required. Registries need the same controls as package managers.

Jul 8, 20266 min read
Supply Chain Attacks

The Moq NuGet incident: how a mocking library harvested developer emails

In August 2023, Moq v4.20.0 quietly ran git config at build time and phoned home 10,356 times before anyone pulled it — via a dependency nobody vetted.

Jul 8, 20266 min read
Supply Chain Attacks

Anatomy of an npm Build-Pipeline Hijack That Shipped a Cross-Platform RAT

One stolen npm token, three malicious releases, four hours online — and 8 million weekly downloads exposed to a cross-platform credential stealer.

Jul 8, 20266 min read
Supply Chain Attacks

Anatomy of a self-propagating npm worm

In September 2025, one phished maintainer account led to malicious chalk and debug releases hitting over 2B weekly downloads within two hours.

Jul 8, 20267 min read
Industry Analysis

The State of Open Source Security: What a Year of Disclosure Data Shows

454,600+ new malicious packages hit open-source registries in 2025, and NVD still closed the year with a 27,000-CVE enrichment backlog.

Jul 8, 20266 min read
Supply Chain Attacks

A dormant contributor account just took down the entire Mastra npm scope

One forgotten npm maintainer account let an attacker republish all 142 packages in the @mastra scope in 90 minutes, hitting a package with 4 million monthly downloads.

Jul 7, 20266 min read
Supply Chain Attacks

Malicious code in scoped npm packages: what the Miasma attack teaches

32 releases under the trusted @redhat-cloud-services npm scope shipped credential-stealing malware in June 2026 — with valid SLSA provenance attached.

Jul 7, 20267 min read
malware-detection (Page 2) — Safeguard Blog