Safeguard
Tag

npm

Safeguard articles tagged "npm" — guides, analysis, and best practices for software supply chain and application security.

119 articles

Supply Chain Security

Dependency confusion and npm supply-chain hardening

One researcher earned over $130,000 exploiting name collisions between public and private registries at 35 companies — here's how lockfiles and scoping stop it.

Jul 8, 20267 min read
Open Source Security

Shipping a Dual ESM/CJS npm Package Without Creating a Supply-Chain Hazard

Node's own docs call it a 'dual package hazard' — the same module loaded twice via require() and import can produce two objects that fail instanceof against each other.

Jul 8, 20267 min read
Supply Chain Security

Generating a CycloneDX/SPDX SBOM for a Node.js Application

npm has shipped a native `npm sbom` command since v9 — but a real supply chain program needs more than the CLI default. Here's how to do it right.

Jul 8, 20266 min read
Open Source Security

The node-ipc protestware incident, four years later: a checklist for maintainer-inserted risk

In March 2022 a legitimate node-ipc maintainer shipped code that wiped files based on IP geolocation. CVE-2022-23812 still has no patch for the real problem.

Jul 8, 20266 min read
Supply Chain Attacks

How npm's default install behavior leaked macOS text-replacement secrets

npm auto-runs postinstall scripts with zero prompts on every install — a design choice Snyk showed in June 2023 can pull sensitive data out of macOS defaults.

Jul 8, 20266 min read
Supply Chain Attacks

The string-width-cjs npm packages: a supply chain warm-up, not a breach

One of three empty npm packages aliasing real libraries reached 500+ dependents and 7,274 weekly downloads — with no malicious code found at all.

Jul 8, 20265 min read
Threat Research

Lessons from the ua-parser-js Compromise: Four Hours, Eight Million Downloads a Week

A hijacked npm account turned a tiny User-Agent parser into a cryptominer and password stealer for a few hours in 2021. Here is what account takeover does at ecosystem scale.

Jul 7, 20266 min read
Security Guides

tar (node-tar) Security Guide (2026)

node-tar is the archive engine underneath npm install itself — and a cluster of path-traversal and symlink CVEs made 'just extracting a tarball' one of the more dangerous operations in the Node.js ecosystem.

Jul 7, 20266 min read
Security Guides

JavaScript Dependency Vulnerability Scanning: Beyond npm audit

npm audit tells you a CVE exists somewhere in your tree — not whether it can hurt you. Here is how dependency scanning really works, why reachability changes everything, and how to build a signal-rich program.

Jul 6, 20266 min read
Threat Research

Lessons from event-stream: How a Free Handoff Became a Bitcoin Heist

A volunteer handed control of a hugely popular npm package to a stranger, who used it to target one Bitcoin wallet app. The event-stream incident is the case study in maintainer-handoff risk.

Jul 6, 20265 min read
Software Supply Chain Security

npm typosquatting attacks

npm typosquatting turns a single mistyped `npm install` into a live compromise. Real incidents, attack patterns, and defenses that actually catch it.

Jul 6, 20267 min read
Security Guides

semver (npm) Security Guide (2026)

semver is the version-parsing library at the heart of npm itself — and a single ReDoS CVE in its range parser turned this universal dependency into one of the most widely flagged advisories in the JavaScript ecosystem.

Jul 6, 20266 min read
npm (Page 2) — Safeguard Blog