Safeguard
Tag

npm-security

Safeguard articles tagged "npm-security" — guides, analysis, and best practices for software supply chain and application security.

123 articles

Open Source Security

Malicious npm packages targeting developers in 2025

A year-end look at 2025's npm supply chain attacks—chalk/debug phishing, the Shai-Hulud worm, and industrialized malware campaigns—and how to defend against them.

Nov 30, 20257 min read
Open Source Security

npm typosquatting campaigns roundup

A roundup of npm typosquatting campaign patterns, from dependency confusion to AI-tooling lookalikes, and how teams can detect exposure fast.

Nov 30, 20257 min read
Open Source Security

npm postinstall script malware trends

npm postinstall script malware surged 61% in H1 2026. Here's how attackers weaponize lifecycle hooks — and how to detect and stop them.

Nov 30, 20257 min read
Open Source Security

Compromised maintainer accounts on npm

Recent npm maintainer account takeovers show how a single stolen credential can compromise billions of downloads. Here's the anatomy of the threat—and the defense.

Nov 29, 20257 min read
Open Source Security

npm package hijacking via expired maintainer domains

Attackers are hijacking npm packages by buying up maintainers' expired email domains to reset account passwords — here's how it works and how to detect it.

Nov 29, 20257 min read
Buyer's Guides

Best malicious package detection tools for open source de...

A field guide to malicious package detection tools for npm and PyPI, comparing real vendors on detection method, coverage, and dependency confusion handling.

Nov 13, 20258 min read
Incident Analysis

Colors.js and Faker.js maintainer sabotage incident

In January 2022, colors.js and faker.js maintainer Marak Squires sabotaged his own packages, breaking thousands of builds—no compromise required.

Nov 7, 20257 min read
Incident Analysis

node-ipc protestware incident

How a trusted maintainer turned node-ipc into "protestware," why transitive dependencies hid the blast radius, and what SBOM visibility could have prevented.

Nov 7, 20257 min read
Incident Analysis

Dependency confusion attacks against major tech companies

A look at the dependency confusion attacks that hit Apple, Microsoft, PayPal, and PyTorch — and why the technique still works against top engineering orgs.

Nov 5, 20257 min read
Open Source Security

Compromise of Legitimate Upstream Packages

From xz-utils to polyfill.io, attackers increasingly compromise packages developers already trust rather than planting fakes. Here's how these attacks work and how Safeguard catches them.

Nov 4, 20257 min read
Software Supply Chain Security

Name Confusion Attacks: Typosquatting and Brandjacking

Typosquatting and brandjacking let attackers hijack trust in package names instead of writing exploits. Here's how crossenv, PyPI's 2017 campaign, and PyTorch's torchtriton breach actually worked.

Nov 4, 20257 min read
Vulnerability Analysis

CVE-2018-16487: Prototype pollution in lodash via merge/m...

CVE-2018-16487 let attackers pollute Object.prototype through lodash's merge, mergeWith, and defaultsDeep — a bypass of an earlier fix, patched in 4.17.11.

Oct 17, 20257 min read
npm-security (Page 8) — Safeguard Blog