Safeguard
Tag

npm

Safeguard articles tagged "npm" — guides, analysis, and best practices for software supply chain and application security.

119 articles

Dependency Security

JavaScript Dependency Security: The Complete Guide

A thorough walkthrough of securing your JavaScript dependency tree, from lockfile hygiene to automated auditing and runtime protections.

Jul 12, 20226 min read
Software Supply Chain Security

npm Lockfile Injection Attacks: How Tampered package-lock.json Files Compromise Builds

Lockfile injection is a subtle supply chain attack where malicious changes to package-lock.json redirect dependency resolution to attacker-controlled packages. Here is how it works and how to detect it.

Jul 5, 20225 min read
Supply Chain Attacks

npm Supply Chain Attacks: 2022 Q1 Report

The first quarter of 2022 saw a surge in npm malware — from protestware to dependency confusion to credential-stealing packages. Here's a roundup of the most significant incidents and emerging trends.

Apr 20, 20225 min read
Open Source Security

colors.js and faker.js: When Maintainer Burnout Becomes a Supply Chain Crisis

Marak Squires deliberately broke two of npm's most popular packages to protest the exploitation of open source maintainers. The fallout exposed how fragile our dependency chains really are.

Jan 10, 20225 min read
Supply Chain Attacks

node-ipc Protestware: When a Maintainer Weaponized the Supply Chain

The node-ipc package was deliberately sabotaged by its maintainer to protest the Russia-Ukraine conflict, wiping files on systems with Russian or Belarusian IP addresses. A watershed moment for supply chain trust.

Jan 8, 20225 min read
Open Source Security

The ua-parser-js npm Hijack of October 2021

An npm package with 8 million weekly downloads shipped a cryptominer and credential stealer for four hours. Here is the exact sequence of events.

Oct 25, 20216 min read
Open Source Security

npm colors and faker Sabotage: When Maintainers Revolt

The maintainer of colors and faker deliberately corrupted his own packages, affecting thousands of projects. It raised uncomfortable questions about open source sustainability and trust.

Sep 15, 20216 min read
Supply Chain Attacks

Typosquatting Attacks on npm and PyPI Explained

Attackers exploit human typos to distribute malware through package registries. Here's how typosquatting works, real examples, and how to protect your builds.

Aug 10, 20215 min read
Open Source Security

npm Package ua-parser-js Compromised: 8 Million Weekly Downloads Weaponized

Attackers hijacked the ua-parser-js npm package account and published malicious versions containing cryptominers and password stealers. The package gets 8 million downloads per week.

Jul 15, 20215 min read
Supply Chain Attacks

Dependency Confusion Attacks Explained

Alex Birsan's research showed how internal package names can be exploited to inject malicious code into corporate build systems. Here's how the attack works and how to defend against it.

Jun 10, 20216 min read
Open Source Security

event-stream: The Copay Attack That Rewrote npm

The 2018 event-stream incident was npm's first high-profile maintainer-handoff attack. The details still shape how we evaluate package trust.

Nov 27, 20186 min read
npm (Page 10) — Safeguard Blog