npm-security
Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.
123 articles
Malicious packages and malware campaigns: the new reality...
Malicious open source packages don't wait for a CVE. See how npm worms, xz utils, and typosquats evade legacy SCA — and what real detection requires.
Axios npm Vulnerabilities: The Full CVE History and Patch Guide
Every notable axios npm vulnerability, from the 2019 DoS to the 2025 SSRF, with the fixed versions and a patch path that also catches the transitive ones.
Malicious Package Detection: Behavioral vs Signature-Base...
A side-by-side look at signature-based malicious package detection (like Endor Labs) versus behavioral analysis, using real npm attack timelines from Shai-Hulud to chalk/debug.
Trusted Publishing for npm: Why Only 14% of Compromised P...
Only 14% of packages compromised since npm launched Trusted Publishing use it. Here's how OIDC-based publishing works, why adoption lags, and what still gets missed.
Package Firewall: Blocking Malicious Dependencies at Inst...
Malicious npm and PyPI packages are published daily. See why a package firewall that blocks at install time stops attacks that post-hoc scanners catch too late.
Dependency Cooldown Periods as a Malware Defense
Malicious npm packages are often caught within days. Cooldown periods exploit that lag — here's how they work, and how Endor Labs and Safeguard compare.
Malicious postinstall scripts in npm packages
From eslint-scope in 2018 to the 2025 Shai-Hulud worm, npm postinstall scripts keep delivering malware before any scan or review runs. Here's how it works and what stops it.
Typosquatting across package registries (npm, Go, PyPI)
Typosquatting has infected npm, PyPI, and now Go modules. We break down real attacks like crossenv and colourama, how Socket.dev detects them, and where the gaps remain.
npm/package health and quality scoring methodology
How npm package health scores are calculated, why Socket.dev's model misses live supply chain attacks, and what Safeguard checks instead.
Minimum release age / cooldown policies for new package v...
A cooldown on new npm package versions can block malicious releases before they reach your build. Here's how minimum release age policies work.
Why EDR and proxy tools won't stop supply chain malware
EDR and network proxies were built to watch endpoints and traffic, not evaluate what a dependency does before it runs — here's why that gap keeps letting supply chain malware through.
Lodash prototype pollution vulnerabilities explained
A breakdown of lodash's prototype pollution CVEs (CVE-2018-3721, CVE-2019-10744, CVE-2020-8203), their impact, and concrete remediation steps.