Knowledge Tree
npm
Facts (17)
Sources
bureado/awesome-software-supply-chain-security - GitHub github.com 12 facts
claimCloudflare's client-side security system detects malicious JavaScript in npm packages by utilizing machine learning-based Abstract Syntax Tree analysis and graph neural networks.
referenceThe npm Best Practices Guide, published by the Open Source Security Foundation (OpenSSF), provides features and recommendations for using the npm package manager safely.
reference6mile/super-confused is a dependency confusion analysis tool that supports over 17 file formats and SBOM files, identifying confusion opportunities across ecosystems including npm, PyPI, Cargo, Packagist, RubyGems, Maven, and Go.
claimThe Shai Hulud 2.0 Scanner is a tool designed to detect the Shai Hulud 2.0 npm supply chain attack, which involved over 796 compromised packages, by scanning for malicious files, credential theft patterns, and compromised package ecosystems.
claimTools such as GitHub Actions, Helm, Terraform, npm, and container registries function as implicit package managers but often lack supply chain security controls like lockfiles, integrity verification, and constraint solving, which leads to transitive dependency vulnerabilities.
referenceDataDog/guarddog is a CLI tool used to identify malicious packages in PyPI and npm.
claimSocket provides a tool called 'safe npm', which acts as an npm wrapper.
referenceBoostsecurityio/bagel is a cross-platform CLI tool that audits developer workstations for supply chain security risks by inventorying development tools, risky configurations, and secret metadata across Git, SSH, npm, cloud credentials, and IDE configurations.
claimThe AppThreat/vulnerability-db is a vulnerability database and package search tool that aggregates data from sources including OSV, NVD, GitHub, and npm.
referenceA research case study published in November 2024 provides insights into supply chain security at scale, specifically focusing on npm account takeovers.
claimDataDog/supply-chain-firewall is a Python tool designed to prevent the installation of malicious and vulnerable PyPI and npm packages, thereby protecting developer workstations from supply chain attacks.
referenceThe lirantal/lockfile-lint tool analyzes and detects security issues within npm or yarn lockfiles.
A Mixed-Methods Study of Open-Source Software Maintainers On ... arxiv.org Feb 3, 2025 3 facts
claimLarge-scale software ecosystems like the Python Package Index (PyPI) and NPM are primarily composed of projects maintained by a single individual.
referenceAsher Trockman, Shurui Zhou, Christian Kästner, and Bogdan Vasilescu conducted an empirical study on the use of repository badges in the npm ecosystem, published in the 2018 Proceedings of the 40th International Conference on Software Engineering.
referenceJosh Bressers published a bar chart visualization of npm maintainers in 2022.
Cyber Insights 2025: Open Source and Software Supply Chain ... securityweek.com Jan 15, 2025 2 facts
procedureAn 'AI Package Hallucination attack' is an attack vector where malicious actors use Large Language Models (LLMs) to generate and register non-existent but plausible package names, then inject malicious code into those packages to be included in OSS registries like npm or PyPI.
procedureThe 'npm sbom' command, introduced in npm version 9, automatically generates an SBOM containing a list of all dependencies for Node.js projects.