npm-security
Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.
123 articles
Axios npm package RAT supply chain compromise
A compromised maintainer account pushed malicious axios releases carrying a cross-platform RAT to npm on March 31, 2026 — here's the full timeline and IOCs.
What Is Protestware? When Maintainers Weaponize Their Own Packages
Protestware is open-source code a maintainer deliberately alters to make a political or personal statement, sometimes sabotaging users. Here is how it works and how to defend.
Understanding dependency confusion via npm package aliasing
npm's `npm:` alias syntax lets a trusted-looking dependency name resolve to attacker-controlled code — here's how that becomes dependency confusion, and how to detect it.
What Is a Malicious Package? Supply-Chain Malware in Open Source
A malicious package is an open-source component built or altered to run attacker code on install or at runtime. Here is how they work, real npm and PyPI cases, and how to defend.
A forgotten contributor account compromised the Mastra npm scope
A dormant npm account with unrevoked publish rights let attackers trojanize 144 @mastra packages in 88 minutes, dropping a crypto-wallet RAT tied to Sapphire Sleet.
Dependabot malware detection in open source packages
Dependabot catches known vulnerabilities, not injected malware. Here's how GitHub Advanced Security handles malicious packages — and where the gaps remain.
Slopsquatting: When AI Hallucinates Package Names
LLMs invent plausible package names; attackers register them and wait. How slopsquatting works, why hallucinations repeat predictably, and the gates that stop it.
What Is Open Source Malware
Open source malware is code deliberately planted in packages to attack the systems that install it. Learn how it spreads, real incidents, and how it differs from CVEs.
npm's shift from implicit to explicit trust: what changed...
npm quietly rebuilt its trust model in 2025 after the chalk/debug hijack and the Shai-Hulud worm. Here's what changed, why JFrog's curation model isn't enough, and how Safeguard closes the gap.
10 npm security best practices
Real npm supply-chain incidents from event-stream to the 2025 chalk/debug hack, and 10 concrete practices to stop install-time attacks, typosquatting, and token theft.
10 React security best practices
Real CVEs, real npm supply chain hijacks, and the concrete React practices — from CSP to token storage — that actually stop them.
5 best practices for React with TypeScript security
TypeScript's type system stops at compile time. Five concrete practices — with real CVEs and incidents — for securing React + TypeScript apps against what it misses.