npm-security
Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.
123 articles
Anatomy of an npm Build-Pipeline Hijack That Shipped a Cross-Platform RAT
One stolen npm token, three malicious releases, four hours online — and 8 million weekly downloads exposed to a cross-platform credential stealer.
Anatomy of a self-propagating npm worm
In September 2025, one phished maintainer account led to malicious chalk and debug releases hitting over 2B weekly downloads within two hours.
Software supply chain attack trends: what the public incident data shows
Sonatype tracked 454,648 new malicious packages in 2025 alone — over 1.2 million total since it started counting. Here's what three years of incident data reveal.
Anatomy of an npm Dependency Confusion Attack
One researcher published fake packages matching internal names at over 35 companies in 2021 and collected six-figure bounties — here's exactly how the registry resolution flaw works.
A dormant contributor account just took down the entire Mastra npm scope
One forgotten npm maintainer account let an attacker republish all 142 packages in the @mastra scope in 90 minutes, hitting a package with 4 million monthly downloads.
Malicious code in scoped npm packages: what the Miasma attack teaches
32 releases under the trusted @redhat-cloud-services npm scope shipped credential-stealing malware in June 2026 — with valid SLSA provenance attached.
colors.js and faker.js protestware sabotage
In 2022, maintainer Marak Squires turned colors.js and faker.js into protestware, breaking 19,000+ npm projects and coining a new supply chain threat term.
node-ipc protestware targeting Russia/Belarus IPs
In March 2022, node-ipc's maintainer shipped code wiping files on Russian and Belarusian machines. Here's what happened, how it spread, and how to catch it next time.
The Shai-Hulud npm worm campaign
A self-replicating npm worm hit 500+ packages in September 2025 and 796 more in November — here's how Shai-Hulud actually spread, stole secrets, and what stops it.
SHA1-Hulud second-wave npm supply chain incident
Shai-Hulud's November 2025 second wave hit npm via a Bun-based worm, stealing cloud creds and re-publishing trojanized packages at scale.
Maintainer Account Takeover Attacks: Hijacking Trust in Open Source
A maintainer account takeover lets an attacker publish malicious versions of a trusted package under a legitimate identity. Here is how it happens and how to defend.
Mini Shai-Hulud AntV npm packages compromise
A compromised npm maintainer account pushed 639 malicious @antv package versions in 10 minutes, stealing CI/CD secrets via a fake OpenTelemetry channel.