npm-security
Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.
123 articles
Malicious npm packages targeting developers in 2025
A year-end look at 2025's npm supply chain attacks—chalk/debug phishing, the Shai-Hulud worm, and industrialized malware campaigns—and how to defend against them.
npm typosquatting campaigns roundup
A roundup of npm typosquatting campaign patterns, from dependency confusion to AI-tooling lookalikes, and how teams can detect exposure fast.
npm postinstall script malware trends
npm postinstall script malware surged 61% in H1 2026. Here's how attackers weaponize lifecycle hooks — and how to detect and stop them.
Compromised maintainer accounts on npm
Recent npm maintainer account takeovers show how a single stolen credential can compromise billions of downloads. Here's the anatomy of the threat—and the defense.
npm package hijacking via expired maintainer domains
Attackers are hijacking npm packages by buying up maintainers' expired email domains to reset account passwords — here's how it works and how to detect it.
Best malicious package detection tools for open source de...
A field guide to malicious package detection tools for npm and PyPI, comparing real vendors on detection method, coverage, and dependency confusion handling.
Colors.js and Faker.js maintainer sabotage incident
In January 2022, colors.js and faker.js maintainer Marak Squires sabotaged his own packages, breaking thousands of builds—no compromise required.
node-ipc protestware incident
How a trusted maintainer turned node-ipc into "protestware," why transitive dependencies hid the blast radius, and what SBOM visibility could have prevented.
Dependency confusion attacks against major tech companies
A look at the dependency confusion attacks that hit Apple, Microsoft, PayPal, and PyTorch — and why the technique still works against top engineering orgs.
Compromise of Legitimate Upstream Packages
From xz-utils to polyfill.io, attackers increasingly compromise packages developers already trust rather than planting fakes. Here's how these attacks work and how Safeguard catches them.
Name Confusion Attacks: Typosquatting and Brandjacking
Typosquatting and brandjacking let attackers hijack trust in package names instead of writing exploits. Here's how crossenv, PyPI's 2017 campaign, and PyTorch's torchtriton breach actually worked.
CVE-2018-16487: Prototype pollution in lodash via merge/m...
CVE-2018-16487 let attackers pollute Object.prototype through lodash's merge, mergeWith, and defaultsDeep — a bypass of an earlier fix, patched in 4.17.11.