npm
Safeguard articles tagged "npm" — guides, analysis, and best practices for software supply chain and application security.
119 articles
JavaScript Dependency Security: The Complete Guide
A thorough walkthrough of securing your JavaScript dependency tree, from lockfile hygiene to automated auditing and runtime protections.
npm Lockfile Injection Attacks: How Tampered package-lock.json Files Compromise Builds
Lockfile injection is a subtle supply chain attack where malicious changes to package-lock.json redirect dependency resolution to attacker-controlled packages. Here is how it works and how to detect it.
npm Supply Chain Attacks: 2022 Q1 Report
The first quarter of 2022 saw a surge in npm malware — from protestware to dependency confusion to credential-stealing packages. Here's a roundup of the most significant incidents and emerging trends.
colors.js and faker.js: When Maintainer Burnout Becomes a Supply Chain Crisis
Marak Squires deliberately broke two of npm's most popular packages to protest the exploitation of open source maintainers. The fallout exposed how fragile our dependency chains really are.
node-ipc Protestware: When a Maintainer Weaponized the Supply Chain
The node-ipc package was deliberately sabotaged by its maintainer to protest the Russia-Ukraine conflict, wiping files on systems with Russian or Belarusian IP addresses. A watershed moment for supply chain trust.
The ua-parser-js npm Hijack of October 2021
An npm package with 8 million weekly downloads shipped a cryptominer and credential stealer for four hours. Here is the exact sequence of events.
npm colors and faker Sabotage: When Maintainers Revolt
The maintainer of colors and faker deliberately corrupted his own packages, affecting thousands of projects. It raised uncomfortable questions about open source sustainability and trust.
Typosquatting Attacks on npm and PyPI Explained
Attackers exploit human typos to distribute malware through package registries. Here's how typosquatting works, real examples, and how to protect your builds.
npm Package ua-parser-js Compromised: 8 Million Weekly Downloads Weaponized
Attackers hijacked the ua-parser-js npm package account and published malicious versions containing cryptominers and password stealers. The package gets 8 million downloads per week.
Dependency Confusion Attacks Explained
Alex Birsan's research showed how internal package names can be exploited to inject malicious code into corporate build systems. Here's how the attack works and how to defend against it.
event-stream: The Copay Attack That Rewrote npm
The 2018 event-stream incident was npm's first high-profile maintainer-handoff attack. The details still shape how we evaluate package trust.