npm
Safeguard articles tagged "npm" — guides, analysis, and best practices for software supply chain and application security.
119 articles
How to Audit npm Dependencies for Vulnerabilities
Go beyond npm audit's noisy output — resolve your dependency tree, prioritize by reachability, and fix both direct and transitive vulnerabilities in a Node.js project the right way.
minimist Security Guide (2026)
minimist is the tiny argument parser buried under a huge slice of the npm ecosystem — and two prototype-pollution CVEs made this 'harmless' 100-line library one of the most widely flagged transitive dependencies in JavaScript.
How to Update Dependencies Safely
Updating a library can fix a vulnerability or break your app. This beginner guide shows you how to update dependencies safely, one careful step at a time.
The npm Supply Chain Security Guide
How the npm supply chain actually gets attacked — install scripts, maintainer takeovers, typosquatting, and dependency confusion — and a phased program to defend it from developer laptop to production.
How to Build a Secure npm Package (2026)
A practical checklist for shipping an npm package that resists supply chain attacks: provenance, granular tokens, minimal published files, no install scripts, and ReDoS-safe code.
How to Check if an npm Package Is Safe
Before you run npm install, learn a quick, repeatable routine to judge whether an npm package is trustworthy — using metadata, known vulnerabilities, and a scan.
npm audit: The Complete Guide to Auditing Node.js Dependencies
How npm audit really works, the exact commands to run in CI, where it silently falls short, and how to close the gaps with reachability-aware SCA and autonomous fixes.
Software Supply Chain Attack at Scale: npm, PyPI, and Docker Hub Hit in 48 Hours
GitGuardian documented three distinct supply-chain campaigns striking npm, PyPI, and Docker Hub inside a single 48-hour window in April 2026. The simultaneity tells you more about attacker tooling than any single payload does.
CVE-2026-45321: Anatomy of the TanStack npm and PyPI Supply Chain Worm
The Mini Shai-Hulud worm hit TanStack, Mistral AI, UiPath and 170+ npm and PyPI packages by hijacking a trusted release pipeline mid-run. Here is how the software supply chain attack actually worked, and what it changes.
IronWorm: A Rust eBPF Rootkit Worm Hits the npm Supply Chain
IronWorm is a compiled Rust npm worm with a kernel-level eBPF rootkit, Tor C2, and OIDC-based self-propagation. It is the engineering ceiling of 2026 software supply chain attacks — and it carries no CVE.
eBPF Rootkits Go Mainstream: Inside IronWorm and the Kernel-Level Turn in Supply Chain Malware
IronWorm shipped a kernel-level eBPF rootkit inside dozens of npm packages, hiding the very processes your security tools rely on seeing. Here is what changed, and how to detect kernel-level supply chain malware before it blinds you.
Why postinstall Scripts Became the Frontline of the Software Supply Chain Attack
Install-time script execution turned npm install and pip install into code-execution events. Here is how 2026's wave of attacks works, and the lockfile, allowlist, and sandbox discipline that actually stops it.