Safeguard
Tag

npm-security

Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.

123 articles

Open Source Security

Malicious packages and malware campaigns: the new reality...

Malicious open source packages don't wait for a CVE. See how npm worms, xz utils, and typosquats evade legacy SCA — and what real detection requires.

May 21, 20267 min read
Supply Chain

Axios npm Vulnerabilities: The Full CVE History and Patch Guide

Every notable axios npm vulnerability, from the 2019 DoS to the 2025 SSRF, with the fixed versions and a patch path that also catches the transitive ones.

May 19, 20266 min read
Software Supply Chain Security

Malicious Package Detection: Behavioral vs Signature-Base...

A side-by-side look at signature-based malicious package detection (like Endor Labs) versus behavioral analysis, using real npm attack timelines from Shai-Hulud to chalk/debug.

May 17, 20267 min read
Software Supply Chain Security

Trusted Publishing for npm: Why Only 14% of Compromised P...

Only 14% of packages compromised since npm launched Trusted Publishing use it. Here's how OIDC-based publishing works, why adoption lags, and what still gets missed.

May 17, 20268 min read
Software Supply Chain Security

Package Firewall: Blocking Malicious Dependencies at Inst...

Malicious npm and PyPI packages are published daily. See why a package firewall that blocks at install time stops attacks that post-hoc scanners catch too late.

May 17, 20268 min read
Software Supply Chain Security

Dependency Cooldown Periods as a Malware Defense

Malicious npm packages are often caught within days. Cooldown periods exploit that lag — here's how they work, and how Endor Labs and Safeguard compare.

May 17, 20268 min read
Industry Analysis

Malicious postinstall scripts in npm packages

From eslint-scope in 2018 to the 2025 Shai-Hulud worm, npm postinstall scripts keep delivering malware before any scan or review runs. Here's how it works and what stops it.

May 10, 20267 min read
Threat Intelligence

Typosquatting across package registries (npm, Go, PyPI)

Typosquatting has infected npm, PyPI, and now Go modules. We break down real attacks like crossenv and colourama, how Socket.dev detects them, and where the gaps remain.

May 9, 20267 min read
Product

npm/package health and quality scoring methodology

How npm package health scores are calculated, why Socket.dev's model misses live supply chain attacks, and what Safeguard checks instead.

May 8, 20267 min read
Product

Minimum release age / cooldown policies for new package v...

A cooldown on new npm package versions can block malicious releases before they reach your build. Here's how minimum release age policies work.

May 7, 20269 min read
Best Practices

Why EDR and proxy tools won't stop supply chain malware

EDR and network proxies were built to watch endpoints and traffic, not evaluate what a dependency does before it runs — here's why that gap keeps letting supply chain malware through.

May 3, 20268 min read
Vulnerability Analysis

Lodash prototype pollution vulnerabilities explained

A breakdown of lodash's prototype pollution CVEs (CVE-2018-3721, CVE-2019-10744, CVE-2020-8203), their impact, and concrete remediation steps.

May 2, 20267 min read
npm-security (Page 4) — Safeguard Blog