Safeguard
Tag

npm-security

Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.

123 articles

Vulnerability Analysis

Regular expression DoS in the ms npm package

A ReDoS flaw in the ubiquitous npm package ms (CVE-2015-8315) still surfaces in dependency scans today. Here's the impact, fix, and remediation steps.

May 2, 20267 min read
Vulnerability Analysis

Filesystem takeover vulnerabilities in the npm package manager

How npm and node-tar "filesystem takeover" CVEs let malicious packages overwrite files via symlinks and path traversal during install.

May 1, 20267 min read
Industry Analysis

JavaScript frameworks security report

Safeguard's H1 2026 audit finds 61% of JS repos ship a high-severity framework CVE, with a 47-day median patch lag attackers routinely beat.

Apr 24, 20267 min read
Cloud Security

Dependency Confusion Attack

How dependency confusion attacks exploit registry name collisions to run attacker code inside corporate networks, from Alex Birsan's 2021 research to the 2022 PyTorch breach.

Apr 13, 20266 min read
Software Supply Chain Security

What is Dependency Confusion

Dependency confusion lets attackers hijack builds by publishing malicious packages under private package names to public registries. Here's how it works.

Apr 4, 20266 min read
Software Supply Chain Security

What is Typosquatting

Typosquatting tricks developers into installing malicious lookalike packages. Learn how it works, real npm/PyPI attacks, and how to detect it.

Apr 4, 20267 min read
Software Supply Chain Security

What Are Malicious Packages

Malicious npm packages steal credentials, mine crypto, or wipe files. Learn how attackers plant them and how to detect and stop them fast.

Apr 3, 20267 min read
Open Source Security

Typosquatting packages

What is typosquatting? A precise breakdown of package typosquatting attacks, real npm and PyPI examples, and how lookalike malicious packages slip into builds.

Mar 3, 20266 min read
Supply Chain

Blocking Malicious Packages at the Proxy Level With Artifactory

Once a compromised dependency reaches a laptop or CI runner, you are doing incident response. Blocked at the Artifactory proxy, it is a log line. Here is the configuration that makes that happen.

Feb 18, 20266 min read
Engineering

npm Provenance Statements: What They Prove and What They Don't

npm provenance ties a package to the commit and CI run that built it. That's genuinely useful — and narrower than most teams assume. Here's the exact boundary.

Feb 11, 20266 min read
Vulnerability Analysis

The event-stream npm Attack Explained

In 2018, a hijacked npm maintainer account turned event-stream into a supply chain weapon against crypto wallets. Here's the full CVE-style breakdown.

Feb 10, 20267 min read
Vulnerability Analysis

The left-pad npm Incident Explained

No CVE, no CVSS — just one unpublished package that broke the internet's build pipelines. Here's what left-pad still teaches security teams.

Feb 9, 20268 min read
npm-security (Page 5) — Safeguard Blog