Safeguard
Tag

npm-security

Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.

123 articles

Supply Chain Attacks

Anatomy of an npm Build-Pipeline Hijack That Shipped a Cross-Platform RAT

One stolen npm token, three malicious releases, four hours online — and 8 million weekly downloads exposed to a cross-platform credential stealer.

Jul 8, 20266 min read
Supply Chain Attacks

Anatomy of a self-propagating npm worm

In September 2025, one phished maintainer account led to malicious chalk and debug releases hitting over 2B weekly downloads within two hours.

Jul 8, 20267 min read
Supply Chain Attacks

Software supply chain attack trends: what the public incident data shows

Sonatype tracked 454,648 new malicious packages in 2025 alone — over 1.2 million total since it started counting. Here's what three years of incident data reveal.

Jul 8, 20267 min read
Supply Chain Attacks

Anatomy of an npm Dependency Confusion Attack

One researcher published fake packages matching internal names at over 35 companies in 2021 and collected six-figure bounties — here's exactly how the registry resolution flaw works.

Jul 7, 20266 min read
Supply Chain Attacks

A dormant contributor account just took down the entire Mastra npm scope

One forgotten npm maintainer account let an attacker republish all 142 packages in the @mastra scope in 90 minutes, hitting a package with 4 million monthly downloads.

Jul 7, 20266 min read
Supply Chain Attacks

Malicious code in scoped npm packages: what the Miasma attack teaches

32 releases under the trusted @redhat-cloud-services npm scope shipped credential-stealing malware in June 2026 — with valid SLSA provenance attached.

Jul 7, 20267 min read
Software Supply Chain Security

colors.js and faker.js protestware sabotage

In 2022, maintainer Marak Squires turned colors.js and faker.js into protestware, breaking 19,000+ npm projects and coining a new supply chain threat term.

Jul 5, 20266 min read
Software Supply Chain Security

node-ipc protestware targeting Russia/Belarus IPs

In March 2022, node-ipc's maintainer shipped code wiping files on Russian and Belarusian machines. Here's what happened, how it spread, and how to catch it next time.

Jul 4, 20266 min read
Software Supply Chain Security

The Shai-Hulud npm worm campaign

A self-replicating npm worm hit 500+ packages in September 2025 and 796 more in November — here's how Shai-Hulud actually spread, stole secrets, and what stops it.

Jul 4, 20267 min read
Software Supply Chain Security

SHA1-Hulud second-wave npm supply chain incident

Shai-Hulud's November 2025 second wave hit npm via a Bun-based worm, stealing cloud creds and re-publishing trojanized packages at scale.

Jul 4, 20267 min read
Threat Research

Maintainer Account Takeover Attacks: Hijacking Trust in Open Source

A maintainer account takeover lets an attacker publish malicious versions of a trusted package under a legitimate identity. Here is how it happens and how to defend.

Jul 3, 20266 min read
Software Supply Chain Security

Mini Shai-Hulud AntV npm packages compromise

A compromised npm maintainer account pushed 639 malicious @antv package versions in 10 minutes, stealing CI/CD secrets via a fake OpenTelemetry channel.

Jul 3, 20267 min read
npm-security (Page 2) — Safeguard Blog