Safeguard
Tag

npm-security

Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.

123 articles

Vulnerability Analysis

What is prototype pollution and why it keeps recurring in npm packages

Prototype pollution has hit lodash, jQuery, minimist, hoek, and immer since 2018. Here's how the bug works and why it keeps coming back in npm.

Dec 15, 20256 min read
Vulnerability Analysis

Typosquatting in open source package registries explained

Typosquatting hides malware behind a one-character package name typo. Learn how it works, real incidents, and how to detect it before your build runs.

Dec 7, 20257 min read
Vulnerability Analysis

How to detect malicious npm packages

Real npm supply chain attacks — event-stream, ua-parser-js, node-ipc, and the 2025 chalk/debug breach — show how to spot and stop malicious packages.

Dec 7, 20256 min read
Open Source Security

node-tar Arbitrary File Write via Symlink Extraction (CVE...

CVE-2021-32803 allows crafted symlinks in tar archives to make node-tar write files outside the extraction directory via malicious npm packages.

Dec 2, 20257 min read
Open Source Security

node-tar Second Bypass Enabling Arbitrary File Write (CVE...

CVE-2021-32804 let crafted tar archives bypass node-tar path sanitization, enabling arbitrary file writes during npm package extraction.

Dec 2, 20257 min read
Open Source Security

node-tar Windows-Specific Path Traversal Bypass (CVE-2021...

CVE-2021-37712 let malicious tar archives bypass node-tar's symlink protections on Windows via junctions, enabling path traversal during npm installs. Here's what to patch.

Dec 2, 20258 min read
Open Source Security

minimist Prototype Pollution and Its Ripple Effect Across...

CVE-2020-7598 is a prototype pollution bug in minimist that let attackers taint Object.prototype, rippling through thousands of npm dependents.

Dec 2, 20258 min read
Open Source Security

lodash zipObjectDeep Prototype Pollution (CVE-2020-8203)

CVE-2020-8203 is a prototype pollution flaw in lodash's zipObjectDeep, affecting versions before 4.17.19. Here's the impact, timeline, and how to remediate it.

Dec 1, 20258 min read
Open Source Security

The coa and rc npm Maintainer Account Hijack Incident

How the coa and rc npm hijack let attackers seize maintainer accounts on two packages with 20M+ weekly downloads to push Windows password-stealing malware.

Dec 1, 20256 min read
Open Source Security

npm prototype pollution trends report 2025

Safeguard's 2025 analysis of npm prototype pollution advisories reveals rising volume, deeper transitive exposure, and why reachability—not CVSS alone—now separates real risk from noise.

Dec 1, 20257 min read
Vulnerability Analysis

node-ipc 'Protestware' Sabotage Code Shipped to Millions ...

How a rogue node-ipc update turned a trusted npm dependency into disk-wiping protestware, and what CVE-2022-23812 means for your supply chain.

Dec 1, 20258 min read
Open Source Security

State of npm supply chain attacks

Maintainer phishing, self-propagating worms, and mass-download packages compromised: a look at the npm supply chain attack trends reshaping open source risk.

Nov 30, 20257 min read
npm-security (Page 7) — Safeguard Blog