npm
Safeguard articles tagged "npm" — guides, analysis, and best practices for software supply chain and application security.
119 articles
debug/chalk npm Compromise Sept 2025: Deep Dive
A phishing campaign against a prolific npm maintainer poisoned chalk, debug, and several other packages with a Web3 hijacker. Here is the full breakdown.
xrpl.js npm Backdoor April 2025 Incident Analysis
A stolen Ripple-adjacent npm token pushed key-stealing versions of xrpl.js. Timeline, payload structure, and what XRPL integrators should do next.
Solana web3.js npm Backdoor: Dec 2024 Post-Mortem
A phished maintainer token pushed a private-key-stealing backdoor into @solana/web3.js 1.95.6/1.95.7. Full mechanics and post-incident recommendations.
Event-Stream npm 2018: Package Trust Lessons That Still Apply
The event-stream npm incident remains the cleanest case study in maintainer-handoff risk. What it taught the ecosystem, and what we still ignore in 2026.
Ledger Connect Kit Attack: What Devs Missed
A phishing-obtained GitHub token published a wallet drainer as @ledgerhq/connect-kit in Dec 2023. What the incident tells us about Web3 supply chain trust.
Rspack npm Account Takeover: 2024 Incident Analysis
Compromised npm tokens pushed crypto-miner versions of @rspack/core and @rspack/cli in December 2024. Timeline, payload, and what downstream teams missed.
npm Mandatory 2FA for Publishing: How the November 2025 Rollout Hardened the Registry
After the Shai-Hulud worm compromised more than 500 npm packages in September 2025, GitHub published a revised timeline forcing FIDO 2FA, 90-day token caps, and disabled token publishing by default. Here is the defender view.
npm Provenance Statements in Practice (2026)
A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.
OSS Malware Trends Q1 2026 (Safeguard Research)
The Safeguard Research team analyzed first-quarter 2026 malicious package telemetry across npm, PyPI, RubyGems, and crates.io. Here is what the data shows.
The npm 'everything' Package Attack (2024) Analyzed
In January 2024 a developer published npm packages that depended on every public npm package, triggering a denial-of-service style incident across the registry.
Lottie Player npm Supply Chain Attack Explained
A leaked maintainer token published three trojanized versions of @lottiefiles/lottie-player to npm, targeting wallet drains. Here is the mechanics.
npm Provenance: Adoption Tracking in Late 2025
Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.