Safeguard
Tag

npm-security

Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.

123 articles

Software Supply Chain Security

Axios npm package RAT supply chain compromise

A compromised maintainer account pushed malicious axios releases carrying a cross-platform RAT to npm on March 31, 2026 — here's the full timeline and IOCs.

Jul 3, 20267 min read
Threat Research

What Is Protestware? When Maintainers Weaponize Their Own Packages

Protestware is open-source code a maintainer deliberately alters to make a political or personal statement, sometimes sabotaging users. Here is how it works and how to defend.

Jul 2, 20266 min read
Software Supply Chain Security

Understanding dependency confusion via npm package aliasing

npm's `npm:` alias syntax lets a trusted-looking dependency name resolve to attacker-controlled code — here's how that becomes dependency confusion, and how to detect it.

Jul 1, 20267 min read
Threat Research

What Is a Malicious Package? Supply-Chain Malware in Open Source

A malicious package is an open-source component built or altered to run attacker code on install or at runtime. Here is how they work, real npm and PyPI cases, and how to defend.

Jul 1, 20266 min read
Software Supply Chain Security

A forgotten contributor account compromised the Mastra npm scope

A dormant npm account with unrevoked publish rights let attackers trojanize 144 @mastra packages in 88 minutes, dropping a crypto-wallet RAT tied to Sapphire Sleet.

Jun 30, 20266 min read
Open Source Security

Dependabot malware detection in open source packages

Dependabot catches known vulnerabilities, not injected malware. Here's how GitHub Advanced Security handles malicious packages — and where the gaps remain.

Jun 29, 20267 min read
AI Security

Slopsquatting: When AI Hallucinates Package Names

LLMs invent plausible package names; attackers register them and wait. How slopsquatting works, why hallucinations repeat predictably, and the gates that stop it.

Jun 14, 20266 min read
Threat Intelligence

What Is Open Source Malware

Open source malware is code deliberately planted in packages to attack the systems that install it. Learn how it spreads, real incidents, and how it differs from CVEs.

Jun 3, 20267 min read
Open Source Security

npm's shift from implicit to explicit trust: what changed...

npm quietly rebuilt its trust model in 2025 after the chalk/debug hijack and the Shai-Hulud worm. Here's what changed, why JFrog's curation model isn't enough, and how Safeguard closes the gap.

May 29, 20267 min read
Open Source Security

10 npm security best practices

Real npm supply-chain incidents from event-stream to the 2025 chalk/debug hack, and 10 concrete practices to stop install-time attacks, typosquatting, and token theft.

May 28, 20267 min read
Application Security

10 React security best practices

Real CVEs, real npm supply chain hijacks, and the concrete React practices — from CSP to token storage — that actually stop them.

May 26, 20268 min read
Application Security

5 best practices for React with TypeScript security

TypeScript's type system stops at compile time. Five concrete practices — with real CVEs and incidents — for securing React + TypeScript apps against what it misses.

May 23, 20266 min read
npm-security (Page 3) — Safeguard Blog