npm-security
Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.
123 articles
How Snyk detects malicious and typosquatted open-source p...
How Snyk's research team detects malicious and typosquatted open-source packages — from name-similarity heuristics to install-script analysis and source-code provenance checks.
How Package Manager Design Choices Influence Supply Chain...
npm, PyPI, RubyGems, Go, and Cargo each made different design bets on install scripts, namespacing, and signing — and those bets directly shape supply chain attack surface.
Anatomy of a Typosquatting Campaign: How Attackers Pick T...
Real typosquatting campaigns follow a repeatable playbook: target selection, edit-distance tricks, and install-time payloads. Here's how attackers actually pick their targets.
Dependency Confusion Attacks Five Years Later: Are Enterp...
Five years after Alex Birsan's $130K dependency confusion disclosure, real attacks like PyTorch's torchtriton incident show the flaw is still live. Here's what's actually fixed.
Why Malicious Package Counts Are Rising Faster Than Detec...
Malicious packages hit 245,000+ in 2023 alone, outpacing 2019-2022 combined. Here's why detection tooling can't keep up, and how the gap actually closes.
Protestware and Sabotage: When Maintainers Turn Against T...
Protestware turns trusted maintainers into insider threats. See how node-ipc, colors.js, and left-pad became sabotage vectors, and how Safeguard catches the next one.
Comparing Malicious Package Tactics Across npm, PyPI, Rub...
npm, PyPI, RubyGems, and crates.io each get hit by malicious packages differently. Real incidents from 2018-2025 show how attacker tactics shift by ecosystem.
Credential-Stealing Packages: What They Target and How Th...
Credential-stealing packages harvest env vars, browser passwords, and npm tokens at install time. Here's how ctx, W4SP, and Shai-Hulud actually work.
The Economics of Publishing Fake Packages at Scale
Publishing a malicious package costs an attacker almost nothing while payouts run into the millions. Here's the cost-benefit math behind fake packages — and how to break it.
How Package Takeover via Maintainer Account Compromise Ac...
Attackers don't hack npm's servers — they phish or socially engineer maintainers. Here's how account takeover turns trusted packages into malware.
Supply Chain Worming: Self-Propagating Malicious Packages...
How the Shai-Hulud npm worm self-propagated across 500+ packages in 48 hours by stealing tokens and republishing itself — and how to stop the next one.
Monitoring Package Maintainer Changes as a Threat Signal
Most package hijacks start with a maintainer change nobody was watching. Registry metadata makes these events observable — if you bother to look.