Safeguard
Tag

npm

Safeguard articles tagged "npm" — guides, analysis, and best practices for software supply chain and application security.

119 articles

Incident Analysis

debug/chalk npm Compromise Sept 2025: Deep Dive

A phishing campaign against a prolific npm maintainer poisoned chalk, debug, and several other packages with a Web3 hijacker. Here is the full breakdown.

Feb 13, 20267 min read
Incident Analysis

xrpl.js npm Backdoor April 2025 Incident Analysis

A stolen Ripple-adjacent npm token pushed key-stealing versions of xrpl.js. Timeline, payload structure, and what XRPL integrators should do next.

Feb 9, 20267 min read
Incident Analysis

Solana web3.js npm Backdoor: Dec 2024 Post-Mortem

A phished maintainer token pushed a private-key-stealing backdoor into @solana/web3.js 1.95.6/1.95.7. Full mechanics and post-incident recommendations.

Feb 5, 20266 min read
Software Supply Chain Security

Event-Stream npm 2018: Package Trust Lessons That Still Apply

The event-stream npm incident remains the cleanest case study in maintainer-handoff risk. What it taught the ecosystem, and what we still ignore in 2026.

Feb 4, 20265 min read
Incident Analysis

Ledger Connect Kit Attack: What Devs Missed

A phishing-obtained GitHub token published a wallet drainer as @ledgerhq/connect-kit in Dec 2023. What the incident tells us about Web3 supply chain trust.

Feb 1, 20267 min read
Incident Analysis

Rspack npm Account Takeover: 2024 Incident Analysis

Compromised npm tokens pushed crypto-miner versions of @rspack/core and @rspack/cli in December 2024. Timeline, payload, and what downstream teams missed.

Jan 28, 20267 min read
Open Source Security

npm Mandatory 2FA for Publishing: How the November 2025 Rollout Hardened the Registry

After the Shai-Hulud worm compromised more than 500 npm packages in September 2025, GitHub published a revised timeline forcing FIDO 2FA, 90-day token caps, and disabled token publishing by default. Here is the defender view.

Jan 22, 20266 min read
Open Source Security

npm Provenance Statements in Practice (2026)

A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.

Jan 22, 20266 min read
Research

OSS Malware Trends Q1 2026 (Safeguard Research)

The Safeguard Research team analyzed first-quarter 2026 malicious package telemetry across npm, PyPI, RubyGems, and crates.io. Here is what the data shows.

Jan 22, 20267 min read
Supply Chain Attacks

The npm 'everything' Package Attack (2024) Analyzed

In January 2024 a developer published npm packages that depended on every public npm package, triggering a denial-of-service style incident across the registry.

Jan 20, 20267 min read
Incident Analysis

Lottie Player npm Supply Chain Attack Explained

A leaked maintainer token published three trojanized versions of @lottiefiles/lottie-player to npm, targeting wallet drains. Here is the mechanics.

Jan 19, 20267 min read
Open Source Security

npm Provenance: Adoption Tracking in Late 2025

Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.

Nov 12, 20254 min read
npm (Page 6) — Safeguard Blog