Tagged: npm

Two npm package names on a dark field, one handed off to an attacker, one weaponised by its own author.

The event-stream and node-ipc incidents: npm supply-chain attacks dissected

Two npm supply-chain cases dissected: the 2018 event-stream maintainer handoff that smuggled a Copay wallet stealer through flatmap-stream, and the 2022 node-ipc protestware that wiped files in Russia and Belarus.

web-security supply-chain npm

Fri, November 14, 2025 · 22 min read

The words dependency confusion in monospace with an orange underline bar

Dependency confusion: how internal package names became an attack vector

How Alex Birsan's 2021 research turned the name of a private package into remote code execution at 35 companies, why installers prefer the higher public version, and the scoping defenses that close the gap.

web-security supply-chain npm

Wed, November 12, 2025 · 18 min read