Open Source Security
Open Source Malware Detection Techniques for Package Registries
Malicious packages on npm, PyPI, and other registries are surging. Here are the techniques researchers and tools use to detect them.
May 20, 20236 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Malicious packages on npm, PyPI, and other registries are surging. Here are the techniques researchers and tools use to detect them.
When an npm package looks suspicious, you need a systematic approach to determine if it is malicious. These analysis techniques separate noise from genuine threats.
A fundamental flaw in npm's package handling allowed published package metadata to differ from actual package contents, undermining trust in the entire ecosystem.
Lock files are your first line of defense against dependency drift. This guide explains how package-lock.json, yarn.lock, and similar files protect your builds from supply chain manipulation.
Each package manager has its own security model, attack surface, and best practices. This guide compares npm, pip, and Maven from a supply chain security perspective.
From mandatory MFA for top packages to enhanced login verification, npm made significant security improvements in 2022. Here's what changed.
A thorough walkthrough of securing your JavaScript dependency tree, from lockfile hygiene to automated auditing and runtime protections.
Lockfile injection is a subtle supply chain attack where malicious changes to package-lock.json redirect dependency resolution to attacker-controlled packages. Here is how it works and how to detect it.
The first quarter of 2022 saw a surge in npm malware — from protestware to dependency confusion to credential-stealing packages. Here's a roundup of the most significant incidents and emerging trends.
Weekly insights on software supply chain security, delivered to your inbox.