Safeguard
Tag

npm-security

Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.

123 articles

Open Source Security

What is npm Security

A concrete look at npm security: real 2025 supply chain attacks on chalk and debug, the Shai-Hulud worm, and how teams actually defend the npm dependency tree.

Feb 8, 20268 min read
Open Source Security

npm supply chain attacks via malicious postinstall scripts

How a single postinstall hook in a compromised npm package can run malware at install time, real incidents from 2018-2025, and how to defend against it.

Jan 25, 20267 min read
DevSecOps

Compromised npm packages in the React and Next.js build p...

A react npm supply chain incident case study: how a phishing attack on a single maintainer compromised chalk, debug, and other build-pipeline dependencies.

Jan 23, 20268 min read
Software Supply Chain Security

What is a Malicious Commit / Compromised Maintainer Account

When an attacker steals a maintainer's credentials, every user of that package inherits the compromise. Here's how it happens and how to catch it.

Jan 19, 20267 min read
Vulnerability Analysis

systeminformation npm package command injection (CVE-2021-21315)

A critical command injection flaw in the systeminformation npm package (CVE-2021-21315) let attackers run OS commands via unsanitized shell calls. Here's the full breakdown.

Jan 12, 20268 min read
Vulnerability Analysis

lodash prototype pollution via zipObjectDeep (CVE-2020-8203)

CVE-2020-8203 lets attackers pollute Object.prototype via lodash's zipObjectDeep. Learn affected versions, CVSS/EPSS context, and remediation steps.

Jan 12, 20267 min read
Vulnerability Analysis

lodash template code injection (CVE-2021-23337)

CVE-2021-23337 lets attackers inject code via lodash's template function. Here's the impact, affected versions, CVSS/EPSS context, and how to remediate it.

Jan 12, 20268 min read
Vulnerability Analysis

minimist prototype pollution (CVE-2020-7598)

A deep dive into CVE-2020-7598, the minimist prototype pollution vulnerability that rippled across the npm ecosystem, with impact, timeline, and remediation steps.

Jan 6, 20267 min read
Vulnerability Analysis

npm registry package hijacking incidents (CVE-2015-8858 era)

CVE-2015-8858 anchors a broader era of npm registry package hijacking — tar-extraction path traversal, left-pad, and weak account security explained.

Jan 4, 20268 min read
Vulnerability Analysis

browserslist ReDoS vulnerability (CVE-2021-23364)

A ReDoS flaw in browserslist (CVE-2021-23364) let crafted query strings stall builds across the JS ecosystem. Here's the full breakdown and fix.

Jan 3, 20267 min read
Vulnerability Analysis

ansi-regex ReDoS vulnerability (CVE-2021-3807)

CVE-2021-3807 is a ReDoS flaw in the widely-used ansi-regex npm package. Here's the impact, affected versions, CVSS/EPSS context, and how to fix it.

Jan 3, 20268 min read
Vulnerability Analysis

http-cache-semantics ReDoS vulnerability (CVE-2022-25881)

CVE-2022-25881 lets attacker-influenced HTTP responses trigger catastrophic regex backtracking in http-cache-semantics, hanging Node.js services. Here's how to detect and fix it.

Jan 1, 20267 min read
npm-security (Page 6) — Safeguard Blog