npm-security
Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.
123 articles
What is prototype pollution and why it keeps recurring in npm packages
Prototype pollution has hit lodash, jQuery, minimist, hoek, and immer since 2018. Here's how the bug works and why it keeps coming back in npm.
Typosquatting in open source package registries explained
Typosquatting hides malware behind a one-character package name typo. Learn how it works, real incidents, and how to detect it before your build runs.
How to detect malicious npm packages
Real npm supply chain attacks — event-stream, ua-parser-js, node-ipc, and the 2025 chalk/debug breach — show how to spot and stop malicious packages.
node-tar Arbitrary File Write via Symlink Extraction (CVE...
CVE-2021-32803 allows crafted symlinks in tar archives to make node-tar write files outside the extraction directory via malicious npm packages.
node-tar Second Bypass Enabling Arbitrary File Write (CVE...
CVE-2021-32804 let crafted tar archives bypass node-tar path sanitization, enabling arbitrary file writes during npm package extraction.
node-tar Windows-Specific Path Traversal Bypass (CVE-2021...
CVE-2021-37712 let malicious tar archives bypass node-tar's symlink protections on Windows via junctions, enabling path traversal during npm installs. Here's what to patch.
minimist Prototype Pollution and Its Ripple Effect Across...
CVE-2020-7598 is a prototype pollution bug in minimist that let attackers taint Object.prototype, rippling through thousands of npm dependents.
lodash zipObjectDeep Prototype Pollution (CVE-2020-8203)
CVE-2020-8203 is a prototype pollution flaw in lodash's zipObjectDeep, affecting versions before 4.17.19. Here's the impact, timeline, and how to remediate it.
The coa and rc npm Maintainer Account Hijack Incident
How the coa and rc npm hijack let attackers seize maintainer accounts on two packages with 20M+ weekly downloads to push Windows password-stealing malware.
npm prototype pollution trends report 2025
Safeguard's 2025 analysis of npm prototype pollution advisories reveals rising volume, deeper transitive exposure, and why reachability—not CVSS alone—now separates real risk from noise.
node-ipc 'Protestware' Sabotage Code Shipped to Millions ...
How a rogue node-ipc update turned a trusted npm dependency into disk-wiping protestware, and what CVE-2022-23812 means for your supply chain.
State of npm supply chain attacks
Maintainer phishing, self-propagating worms, and mass-download packages compromised: a look at the npm supply chain attack trends reshaping open source risk.