npm-security
Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.
123 articles
Regular expression DoS in the ms npm package
A ReDoS flaw in the ubiquitous npm package ms (CVE-2015-8315) still surfaces in dependency scans today. Here's the impact, fix, and remediation steps.
Filesystem takeover vulnerabilities in the npm package manager
How npm and node-tar "filesystem takeover" CVEs let malicious packages overwrite files via symlinks and path traversal during install.
JavaScript frameworks security report
Safeguard's H1 2026 audit finds 61% of JS repos ship a high-severity framework CVE, with a 47-day median patch lag attackers routinely beat.
Dependency Confusion Attack
How dependency confusion attacks exploit registry name collisions to run attacker code inside corporate networks, from Alex Birsan's 2021 research to the 2022 PyTorch breach.
What is Dependency Confusion
Dependency confusion lets attackers hijack builds by publishing malicious packages under private package names to public registries. Here's how it works.
What is Typosquatting
Typosquatting tricks developers into installing malicious lookalike packages. Learn how it works, real npm/PyPI attacks, and how to detect it.
What Are Malicious Packages
Malicious npm packages steal credentials, mine crypto, or wipe files. Learn how attackers plant them and how to detect and stop them fast.
Typosquatting packages
What is typosquatting? A precise breakdown of package typosquatting attacks, real npm and PyPI examples, and how lookalike malicious packages slip into builds.
Blocking Malicious Packages at the Proxy Level With Artifactory
Once a compromised dependency reaches a laptop or CI runner, you are doing incident response. Blocked at the Artifactory proxy, it is a log line. Here is the configuration that makes that happen.
npm Provenance Statements: What They Prove and What They Don't
npm provenance ties a package to the commit and CI run that built it. That's genuinely useful — and narrower than most teams assume. Here's the exact boundary.
The event-stream npm Attack Explained
In 2018, a hijacked npm maintainer account turned event-stream into a supply chain weapon against crypto wallets. Here's the full CVE-style breakdown.
The left-pad npm Incident Explained
No CVE, no CVSS — just one unpublished package that broke the internet's build pipelines. Here's what left-pad still teaches security teams.