npm
Safeguard articles tagged "npm" — guides, analysis, and best practices for software supply chain and application security.
119 articles
How to Fix a Vulnerable Transitive Dependency in npm
The CVE is four levels deep in a package you never installed. Four escalating fixes — parent upgrade, npm update, overrides, and forking — with the exact commands.
Supply Chain Attack Trends: Q3 2025
A data-led look at software supply chain attacks in Q3 2025: npm maintainer phishing, VS Code extension abuse, and a quiet shift toward CI/CD targeting.
Shai-Hulud: The Self-Replicating npm Worm That Hit 500+ Packages
On September 15, 2025, a self-replicating npm worm dubbed Shai-Hulud backdoored more than 500 packages, including @ctrl/tinycolor and CrowdStrike libraries, by pivoting through stolen publish tokens.
@ctrl/tinycolor and the 40-Package npm Wave of September 2025
@ctrl/tinycolor versions 4.1.1 and 4.1.2 shipped a credential-stealing payload that propagated to 40+ packages with 2 million combined weekly downloads in under 24 hours.
How Snyk parses npm, yarn, and pnpm lockfiles differently...
How Snyk resolves exact package versions from npm, Yarn, and pnpm lockfiles — and why each format's structure demands its own parsing logic.
Nx s1ngularity: The First AI-Aware Supply Chain Worm
On August 26, 2025, malicious versions of Nx (20.9.0–21.8.0) harvested 2,349 credentials from 1,079 developers and weaponized Claude, Gemini, and Q CLIs to enumerate local secrets.
What Is a Lockfile?
A lockfile pins the exact versions and hashes of every dependency your build resolves. Here is how lockfiles make builds reproducible and why they are central to supply chain integrity.
What Is a Package Registry?
A package registry is the network service your package manager pulls code from. Here is how registries work, why they are a critical trust boundary, and how to secure what you download.
How to Verify an npm Package Before Installing It
Five checks that take about four minutes — tarball inspection, install-script review, provenance verification, maintainer signals — before you let a new npm package run code on your machine.
What is Typo-Squatting Detection
Typo-squatting detection identifies malicious packages named one keystroke away from real ones — requets instead of requests — before they reach your build.
What is a Trusted Publisher (PyPI and npm)
A trusted publisher lets your CI workflow publish packages with short-lived OIDC tokens instead of stored API keys. Here's how it works on PyPI and where npm stands.
npm Supply Chain Attacks Q1 2025: Dependency Confusion, Typosquatting, and Maintainer Takeovers
The first quarter of 2025 saw a sharp increase in npm supply chain attacks. We catalog the major incidents and analyze the evolving techniques.