Safeguard
Tag

npm

Safeguard articles tagged "npm" — guides, analysis, and best practices for software supply chain and application security.

119 articles

Emerging Technology

Reflection-Based Dependency Confusion Techniques

Dependency confusion is moving beyond name-typosquat. Reflection-based techniques let attackers hijack packages through dynamic imports and runtime resolution.

Mar 26, 20268 min read
Emerging Technology

npm Garbage Collection Abuse: Attack Research

npm's unpublish and tarball retention rules create a narrow but real window for attackers to reclaim deleted names and swap tarball contents. Here is the 2025 research.

Mar 23, 20268 min read
Best Practices

How to Prevent Dependency Confusion in npm (2026)

Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks are misconfigured by default. Here is the fix.

Mar 13, 20267 min read
Tools

Best Practices for npm Lockfile Security 2026

Your package-lock.json is a supply chain control, not build noise. Six habits — npm ci, script blocking, lockfile linting, provenance checks — that stop most npm attacks cold.

Mar 10, 20266 min read
Dependency Security

Mitigating npm Install Scripts Without Breaking Your Build

`--ignore-scripts` is the blunt fix that breaks node-sass and better-sqlite3. Here is the surgical version that keeps builds green and postinstalls contained.

Mar 9, 20267 min read
Supply Chain Attacks

OSS Maintainer Account Takeover Trends 2025

A senior engineer's breakdown of how maintainer account takeovers evolved in 2025, from phishing kits targeting PyPI to session token theft on GitHub and npm.

Mar 7, 20267 min read
Best Practices

How to Detect Malicious npm Packages: A Workflow

A practical detection workflow for malicious npm packages: install-time signals, registry heuristics, reachability checks, and CI gates that actually block attacks.

Mar 6, 20267 min read
Supply Chain Attacks

npm Protestware Patterns From 2020 to 2026

A senior engineer's view of six years of npm protestware, from colors.js to peacenotwar, and the supply chain lessons that still apply to modern JavaScript shops.

Mar 3, 20267 min read
Threat Intelligence

Dependency Confusion: Attack Evolution from 2022 to 2026

Alex Birsan's 2021 disclosure named a class of attacks. Four years on, dependency confusion has evolved across registries, tooling, and victim profiles.

Mar 2, 20265 min read
Open Source Security

pnpm and Yarn Modern Lockfile Security

pnpm-lock.yaml and yarn.lock look similar on the surface but enforce different security properties. Here is what matters in 2026, and what still trips teams up.

Feb 24, 20267 min read
Supply Chain Attacks

npm Slopsquat: The Hallucinated Package Risk in 2026

Slopsquatting is the practice of registering package names that LLMs hallucinate, turning AI coding assistants into an accidental distribution channel.

Feb 18, 20267 min read
Incident Analysis

UA-Parser-JS October 2021: A Deep Dive on the Attack

The ua-parser-js compromise of October 2021 paired credential theft with cryptominer and password stealer payloads. A close look at what happened and why.

Feb 17, 20265 min read
npm (Page 5) — Safeguard Blog