Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.
Inspect every lifecycle script in your node_modules tree, disable dangerous ones by default, and catch malicious postinstall hooks before they execute.
Mirroring npm, PyPI, or Maven Central locally reduces dependency on external infrastructure. But mirrors introduce their own security considerations that most teams overlook.
Publishing a package to a public registry makes your code part of thousands of supply chains. This checklist covers the security controls that responsible maintainers implement before and during publication.
A review of Socket.dev's approach to supply chain security, focusing on behavior analysis of npm packages, install script detection, and typosquatting prevention.
npm's updated unpublish policy addresses the left-pad problem while balancing maintainer rights, but the supply chain implications go deeper than most realize.
Typosquatting and domain squatting in package registries trick developers into installing malicious packages. The attack is trivially easy to execute and remarkably effective.
npm install scripts execute arbitrary code during package installation. They are the most exploited vector in JavaScript supply chain attacks.
Private package registries are high-value targets for supply chain attackers. Here is how to lock them down, from access controls to dependency confusion prevention.
Weekly insights on software supply chain security, delivered to your inbox.