npm
Safeguard articles tagged "npm" — guides, analysis, and best practices for software supply chain and application security.
119 articles
Dependency confusion and npm supply-chain hardening
One researcher earned over $130,000 exploiting name collisions between public and private registries at 35 companies — here's how lockfiles and scoping stop it.
Shipping a Dual ESM/CJS npm Package Without Creating a Supply-Chain Hazard
Node's own docs call it a 'dual package hazard' — the same module loaded twice via require() and import can produce two objects that fail instanceof against each other.
Generating a CycloneDX/SPDX SBOM for a Node.js Application
npm has shipped a native `npm sbom` command since v9 — but a real supply chain program needs more than the CLI default. Here's how to do it right.
The node-ipc protestware incident, four years later: a checklist for maintainer-inserted risk
In March 2022 a legitimate node-ipc maintainer shipped code that wiped files based on IP geolocation. CVE-2022-23812 still has no patch for the real problem.
How npm's default install behavior leaked macOS text-replacement secrets
npm auto-runs postinstall scripts with zero prompts on every install — a design choice Snyk showed in June 2023 can pull sensitive data out of macOS defaults.
The string-width-cjs npm packages: a supply chain warm-up, not a breach
One of three empty npm packages aliasing real libraries reached 500+ dependents and 7,274 weekly downloads — with no malicious code found at all.
Lessons from the ua-parser-js Compromise: Four Hours, Eight Million Downloads a Week
A hijacked npm account turned a tiny User-Agent parser into a cryptominer and password stealer for a few hours in 2021. Here is what account takeover does at ecosystem scale.
tar (node-tar) Security Guide (2026)
node-tar is the archive engine underneath npm install itself — and a cluster of path-traversal and symlink CVEs made 'just extracting a tarball' one of the more dangerous operations in the Node.js ecosystem.
JavaScript Dependency Vulnerability Scanning: Beyond npm audit
npm audit tells you a CVE exists somewhere in your tree — not whether it can hurt you. Here is how dependency scanning really works, why reachability changes everything, and how to build a signal-rich program.
Lessons from event-stream: How a Free Handoff Became a Bitcoin Heist
A volunteer handed control of a hugely popular npm package to a stranger, who used it to target one Bitcoin wallet app. The event-stream incident is the case study in maintainer-handoff risk.
npm typosquatting attacks
npm typosquatting turns a single mistyped `npm install` into a live compromise. Real incidents, attack patterns, and defenses that actually catch it.
semver (npm) Security Guide (2026)
semver is the version-parsing library at the heart of npm itself — and a single ReDoS CVE in its range parser turned this universal dependency into one of the most widely flagged advisories in the JavaScript ecosystem.