Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
@ctrl/tinycolor versions 4.1.1 and 4.1.2 shipped a credential-stealing payload that propagated to 40+ packages with 2 million combined weekly downloads in under 24 hours.
On August 26, 2025, malicious versions of Nx (20.9.0–21.8.0) harvested 2,349 credentials from 1,079 developers and weaponized Claude, Gemini, and Q CLIs to enumerate local secrets.
The first quarter of 2025 saw a sharp increase in npm supply chain attacks. We catalog the major incidents and analyze the evolving techniques.
Between May and June 2024 at least 36 npm packages were hijacked via expired maintainer domains and leaked tokens. We map the cluster.
npm lifecycle scripts execute arbitrary code during package installation. This design choice creates one of the largest and least-understood attack surfaces in modern software development.
A step-by-step tutorial for publishing npm packages with provenance attestations so your consumers can cryptographically verify the build source.
Dependency confusion exploits the gap between public and private package registries. Despite widespread awareness, organizations keep falling for it.
Build a pre-install guard that catches typosquatted npm, PyPI, and RubyGems dependencies using Levenshtein distance, download-count heuristics, and registry APIs.
The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.
Weekly insights on software supply chain security, delivered to your inbox.