awesome-nodejs-security
Awesome Node.js Security resources
https://github.com/lirantal/awesome-nodejs-security
Last synced: 4 days ago
JSON representation
-
Static Code Analysis
- cspscanner - CSP Scanner helps developers and security experts to easily inspect and evaluate a site’s Content Security (CSP).
- Bearer - A CLI tool to find and help you fix security and privacy risks in your code according to OWASP Top 10.
- GuardDog - GuardDog is a CLI tool to Identify malicious PyPI and npm packages
- cspscanner - CSP Scanner helps developers and security experts to easily inspect and evaluate a site’s Content Security (CSP).
- cspscanner - CSP Scanner helps developers and security experts to easily inspect and evaluate a site’s Content Security (CSP).
- pkgsign - A CLI tool for signing and verifying npm and yarn packages.
- eslint-plugin-security - ESLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
- tslint-plugin-security - TSLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
- safe-regex - detect potentially catastrophic exponential-time regular expressions by limiting the star height to 1.
- vuln-regex-detector - This module lets you check a regex for vulnerability. In JavaScript, regular expressions (regexes) can be "vulnerable": susceptible to catastrophic backtracking. If your application is used on the client side, this can be a performance issue. On the server side, this can expose you to Regular Expression Denial of Service (REDOS).
- regolith - Regex library for TypeScript made to prevent ReDoS attacks I made TypeScript bindings for the Rust Regex library to prevent Regular Expression Denial of Service attacks.
- git-secrets - Prevents you from committing secrets and credentials into git repositories.
- DevSkim - DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities. Also has support for CLI so it can be integrated into CI/CD pipeline.
- ban-sensitive-files - Checks filenames to be committed against a library of filename rules to prevent storing sensitive files in Git. Checks some files for sensitive contents (for example authToken inside .npmrc file).
- NodeJSScan - A static security code scanner for Node.js applications. Including neat UI that can point where the issue is and how to fix it.
- NodeSecure CLI - Node.js CLI that allow you to deeply analyze the dependency tree of a given npm package or a directory.
- Trust But Verify - TBV compares an npm package with its source repository to ensure the resulting artifact is the same.
- lockfile-lint - lint lockfiles for improved security and trust policies to keep clean from malicious package injection and other insecure configurations.
- npm-scan - An extensible, heuristic-based vulnerability scanning tool for installed npm packages.
- js-x-ray - JavaScript and Node.js SAST scanner capable of detecting various well-known malicious code patterns (Unsafe import, Unsafe stmt, Unsafe RegEx, encoded literals, minified and obfuscated codes).
- eslint-plugin-anti-trojan-source - ESLint plugin to detect and prevent Trojan Source attacks from entering your codebase.
- sdc-check - Small tool to inform you about potential risks in your project dependencies list
- fix-lockfile-integrity - A CLI tool to fix weak integrity hash (sha1) to a more secure integrity hash (sha512) in your npm lockfile.
-
Dynamic Application Security Testing
- PurpleTeam - A security regression testing SaaS and CLI, perfect for inserting into your build pipelines. You don’t need to write any tests yourself. purpleteam is smart enough to know how to test, you just need to provide a Job file which tells purpleteam what you want tested.
- PurpleTeam - A security regression testing SaaS and CLI, perfect for inserting into your build pipelines. You don’t need to write any tests yourself. purpleteam is smart enough to know how to test, you just need to provide a Job file which tells purpleteam what you want tested.
-
CSRF
- csurf - Node.js CSRF protection middleware.
- crumb - CSRF crumb generation and validation for [hapi](https://github.com/hapijs/hapi).
- fastify-csrf - A plugin for adding CSRF protection to [fastify](https://www.fastify.io).
-
Vulnerabilities and Security Advisories
- snyk - Snyk helps you find, fix and monitor known vulnerabilities in Node.js npm, Ruby and Java dependencies, both on an ad hoc basis and as part of your CI (Build) system.
- node-release-lines - Introspection API for Node.js release metadata. Provides information about release lines, their relative status along with details of each release.
- npm-audit - Runs a security audit based on your package.json using npm.
- gammaray - Runs a security audit based on your package.json using the [Node.js Security Working Group vulnerability data](https://github.com/nodejs/security-wg/).
- npq - Safely install packages with npm or yarn by auditing them as part of your install process.
- check-my-headers - Fast and simple way to check any HTTP Headers.
- confused - Tool to check for dependency confusion vulnerabilities in multiple package management systems. See [Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610) for reference on the reasoning for this tool.
- nodejs-cve-checker - A simple tool that validates CVEs were published to NVD after a Node.js Security Release.
- joi-security - Detect security flaws in Joi validation schemas.
- is-website-vulnerable - finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.
- auditjs - Audits an NPM package.json file to identify known vulnerabilities using the [OSSIndex](https://ossindex.sonatype.org/rest).
- npm-audit - Runs a security audit based on your package.json using npm.
- npm-audit-resolver - Manage npm-audit results, including options to ignore specific issues in clear and auditable way.
- patch-package - Allows app authors to create fixes for npm dependencies (in node_modules) without forking or waiting for merged PRs, by creating and applying patches.
- zizmor - Static analysis for GitHub Actions and CI/CD workflows.
-
Security Hardening
- ses
- hijagger - Checks all maintainers of all npm and PyPI packages for hijackable packages through domain re-registration.
- snync - Mitigate security concerns of Dependency Confusion supply chain security risks.
- anti-trojan-source - Detect trojan source attacks that employ unicode bidi attacks to inject malicious code.
- tor-detect-middleware
- express-enforces-ssl
- bourne - in replacement with prototype poisoning protection.
- fastify-rate-limit
- express-brute - force protection middleware for express routes that rate-limits incoming requests, increasing the delay with each request in a fibonacci-like sequence.
- allowed-scripts
- lavamoat - party dependencies and limit their access to host powers based on policies generated by trust-on-first-use static analysis.
- allowed-scripts
- @lavamoat/preinstall-always-fail - npm package to assert if preinstall or postinstall scripts are running in your npm or yarn workflows.
- is-my-node-vulnerable - package that checks if your Node.js installation is vulnerable to known security vulnerabilities.
- NopPP - No Prototype Pollution - Tiny helper to protect against Prototype Pollution vulnerabilities in your application regardless if they introduced in your own code or in 3rd-party code.
- express-limiter - Rate limiting middleware for Express applications built on redis.
- limits - Simple express/connect middleware to set limit to upload size, set request timeout etc.
- rate-limiter-flexible - Fast, flexible and friendly rate limiter by key and protection from DDoS and brute force attacks in process Memory, Cluster, Redis, MongoDb, MySQL, PostgreSQL at any scale. Express and Koa examples included.
- secure-json-parse - in replacement with prototype poisoning protection.
- moddable
- are-scripts-enabled - npm package to assert if preinstall or postinstall scripts are running in your npm or yarn workflows.
- resource - A structured list of all the Node.js versions, the binary builds, the dependencies they include (npm, zlib, openssl) along with their versions, whether the release is a security release and whether it is an LTS.
- resource - The `nodejs/secuirty-wg` GitHub repository maintains a `/vuln/core` directory with all the CVEs applied to Node.js runtime versions.
-
Protestware supply chain security issues
- left-pad
- Open Souce Peace
- PyPI package author of atomicwrites deletes his own code
- node-ipc - pino](https://socket.dev/npm/package/nestjs-pino/files/3.1.1/postinstall.js) - all with regards to the Russian-Ukraine crisis.
- 2022's Techcrunch protestware review
- 2022's Snyk protestware types
- left-pad
-
npm and JavaScript specific security incidents and supply chain security issues
- SC Media
- Sonatype
- phylum
- Louisw Lang on Twitter
- Aqua
- TheHackerNews
- Mend
- darkreading
- GitHub
- Snyk - dependency-confusion-attack-gxm-reference/)
- TheRegister
- Aqua
- Aqua - bug-allowed-attackers-to-distribute.html)
- Checkmarx Security blog
- Checkmarx Security blog
- TheHackerNews
- TheRecord
- Bleepingcomputer - found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads/), [npm tweet](https://twitter.com/npmjs/status/1456310627362742284), [npm tweet for rc](https://twitter.com/npmjs/status/1456398505832976384). |
- Cybersecurity and Infrastructure Security Agency (CISA) - parser-js/issues/536), [IOCs](https://twitter.com/BleepinComputer/status/1451964720974635021?s=20), [portswigger](https://portswigger.net/daily-swig/popular-npm-package-ua-parser-js-poisoned-with-cryptomining-password-stealing-malware), [theregister](https://www.theregister.com/2021/10/27/npm_roblox_ransomware) |
- Bleepingcomputer
- zdnet.com - npm-packages-used-to-install-njrat-remote-access-trojan/). |
- sonatype - package-caught-stealing-sensitive-discord-and-browser-files/). |
- zdnet
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Snyk - npm-package-that-walked-away-with-all-your-passwords), [Bleeping Computer](https://www.technadu.com/malicious-package-stealing-user-credentials-npm-repository/77482/) |
- left-pad.io - one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code). |
- BadJS - a repository of malicious JavaScript that has been found in websites, extensions, npm packages, and anywhere else JavaScript lives.
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Socket
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Arstechnica
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- socket
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Snyk
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- zdnet.com - npm-packages-used-to-install-njrat-remote-access-trojan/). |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Sonatype
- Sonatype
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- sonatype
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Socket
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Sonatype
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Aikido
- Socket
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Snyk
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- SC Media
- Checkmarx Security blog
- socket
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Adventures in Nodeland
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Adventures in Nodeland
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- darkreading
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Sonatype
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Socket
- cycode
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Louisw Lang on Twitter
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Checkmarx Security blog
- Veracode
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- ReversingLabs
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Snyk - phishing-campaign-leads-to-prettier-tooling-packages-compromise), [Safedep](https://safedep.io/eslint-config-prettier-major-npm-supply-chain-hack/)
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- Checkmarx Security blog
- Veracode
- Snyk
- Sonatype
- Sonatype
- phylum
- Aqua
- GitHub
- TheRegister
- Aqua
- Aqua - bug-allowed-attackers-to-distribute.html)
- Snyk blog - security/recent-code-sabotage-incident-latest-to-highlight-code-dependency-risks), [SC Magazine](https://www.scmagazine.com/analysis/application-security/what-happens-when-protestware-sabotages-open-source-in-response-to-current-events) |
- TheRecord
- Sonatype
- Bleepingcomputer - found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads/), [npm tweet](https://twitter.com/npmjs/status/1456310627362742284), [npm tweet for rc](https://twitter.com/npmjs/status/1456398505832976384). |
- Bleepingcomputer
- sonatype - package-caught-stealing-sensitive-discord-and-browser-files/). |
- left-pad.io - one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code). |
- npm zoo
- Snyk - hulud-worm-npm?utm_source=newsletter.danielmiessler.com&utm_medium=newsletter&utm_campaign=unsupervised-learning-no-498&_bhlid=1aa82504dd754b12c5b653c6fe6b1cd46b6e9d5a), [Aikido](https://www.aikido.dev/blog/bugs-in-shai-hulud-debugging-the-desert)
- Snyk
- Snyk
- Socket
- Aikido - chain-attack-hits-gluestack-npm-packages-with-960k-weekly-downloads/amp/)
- Safety
- ReversingLabs
- socket
- rspack release notes - packages-rspack-vant-compromised-blocked-by-sonatype), [Socket](https://socket.dev/blog/rspack-supply-chain-attack)
- Phylum
- stacklok
- Sonatype
- landh.tech
- Bleeping Computer
- Socket
- Checkmarx
- Darcy Clarke's blog
- Phylum
- bignum npm package - supply-chain-attack-exploits.html), [Checkmarx](https://checkmarx.com/blog/hijacking-s3-buckets-new-attack-technique-exploited-in-the-wild-by-supply-chain-attackers/)
- Vulcan
- Illustria on The Hacker News
- The Hacker News
- JFrog
- Mend
- Snyk advisory for event-source-pollyfill - ext commit](https://github.com/medikoo/es5-ext/commit/28de285ed433b45113f01e4ce7c74e9a356b2af2), [ArsTechnica](https://arstechnica.com/information-technology/2022/03/sabotage-code-added-to-popular-npm-package-wiped-files-in-russia-and-belarus/) |
- TheRecord
- the register
- Cybersecurity and Infrastructure Security Agency (CISA) - parser-js/issues/536), [IOCs](https://twitter.com/BleepinComputer/status/1451964720974635021?s=20), [portswigger](https://portswigger.net/daily-swig/popular-npm-package-ua-parser-js-poisoned-with-cryptomining-password-stealing-malware), [theregister](https://www.theregister.com/2021/10/27/npm_roblox_ransomware) |
- arstechnica.com
- zdnet
- zdnet
- Forbes Lindesay - Maintainer post-mortem - did-is-promise-happen-and-what-can-we-learn-from-it/) |
- npm - another-malicious-package-found-in-npm-targeting-cryptocurrency-wallets), [komodo announcement](https://komodoplatform.com/update-agama-vulnerability/) |
- github issue - code-found-in-npm-package-event-stream), [snyk's postmortem](https://snyk.io/blog/a-post-mortem-of-the-malicious-event-stream-backdoor), [schneid](https://schneid.io/blog/event-stream-vulnerability-explained/), [intrinsic](https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502), [npm](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident), [jayden](https://jaydenseric.com/blog/event-stream-compromise), [hillel wayne's postmortem](https://www.hillelwayne.com/post/stamping-on-eventstream/) |
- github issue - for-malicious-package-publishes), [nodesource's postmortem](https://nodesource.com/blog/a-high-level-post-mortem-of-the-eslint-scope-security-incident/), [npm's statement](https://status.npmjs.org/incidents/dn7c1fgrr7ng) |
- GitHub issue - malicious-module-getcookies), [bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/somebody-tried-to-hide-a-backdoor-in-a-popular-javascript-npm-package/), [Snyk’s getcookies vulnerability page](https://snyk.io/vuln/npm:getcookies:20180502), [Hacker News](https://news.ycombinator.com/item?id=16975025) |
- conventional-changelog repository update
- CJ blog on typosquat packages - package-managers/), [bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/javascript-packages-caught-stealing-environment-variables/), [Snyk’s crossenv vulnerability page](https://snyk.io/vuln/npm:crossenv:20170802), [Hacker News](https://news.ycombinator.com/item?id=14901566) |
-
Articles
- A Roadmap for Node.js Security - nodejs-security/issues/42))
- 10 npm security best practices
- OWASP Cheat Sheet Series - Node.js Security Cheat Sheet
- The Anatomy of a Malicious Package
- Why npm lockfiles can be a security blindspot for injecting malicious modules
- GitHub Actions to securely publish npm packages
- A Tale of (prototype) Poisoning
- Securizing your GitHub org
- Top 11 Node.js security best practices | Sqreen.com
- A Tale of (prototype) Poisoning
- Research Case Study: Supply Chain Security at Scale – Insights into NPM Account Takeovers
- npm Security Best Practices
- What is a backdoor? Let’s build one with Node.js
-
Research Papers
-
Books
- Secure Your Node.js Web Application: Keep Attackers Out and Users Happy
- Thomas Gentilhomme
- Node.js Secure Coding: Defending Against Command Injection Vulnerabilities
- Node.js Secure Coding: Defending Against Command Injection Vulnerabilities
- Essential Node.js Security - Hands-on and abundant with source code for a practical guide to Securing Node.js web applications.
- Node.js Secure Coding: Prevention and Exploitation of Path Traversal Vulnerabilities
- Node.js Secure Coding: Mitigate and Weaponize Code Injection Vulnerabilities
-
Roadmaps
- Node.js Developer Roadmap
- NodeSource - Mission-critical Node.js applications. Provides N|Solid and Node Certified Modules.
- NodeSecure - An organization of developers building free and open source JavaScript/Node.js security tools.
- Sqreen - Automated security for your web apps - real time application security protection.
-
Input Validation & Output Encoding
- DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
- envalid - Envalid is a small library for validating and accessing environment variables in Node.js.
- validator - An npm library of string validators and sanitizers.
- node-esapi - node-esapi is a minimal port of the ESAPI4JS (Enterprise Security API for JavaScript) encoder.
- escape-html - Escape string for use in HTML.
- js-string-escape - Escape any string to be a valid JavaScript string literal between double quotes or single quotes.
- xss-filters - Just sufficient output filtering to prevent XSS!
- data-guardian - data-guardian is a tiny, highly customizable lib which can mask sensitive data in arbitrary entities and can help with [OWASP Protect Data everywhere](https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere).
-
Hacking Playground
- OWASP NodeGoat - The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
- OWASP Juice Shop - The OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.
- DomGoat - Client XSS happens when untrusted data from sources ends up in sinks. Information and excercises on different sources, different sinks and example of XSS occuring due to them in the menu on the left-hand side.
-
Web Framework Hardening
- Helmet - Helmet helps you secure your Express apps by setting various HTTP headers.
- koa-helmet - koa-helmet helps you secure your Koa apps by setting various HTTP headers.
- blankie - CSP plugin for [hapi](https://github.com/hapijs/hapi).
- fastify-helmet - fastify-helmet helps you secure your [fastify](https://www.fastify.io/) apps by setting important security headers.
- nuxt-security - 🛡 Security Module for Nuxt based on OWASP Top 10 and Helmet.
- reporting-api - Setup and collect CSP, Reporting API v0 and v1 reports to reliabily parse them to be processed by the user
-
GitHub Actions and CI/CD Security
- New dependencies advisor - GitHub Action adding comments to pull requests with package health information about newly added npm dependencies.
- OpenSSF Scorecard Monitor - Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts.
-
Secure Composition
- pug-plugin-trusted-types - Pug template plugin makes it easy to securely compose HTML from untrusted inputs and provides CSP & CSRF [automagic](https://www.npmjs.com/package/pug-plugin-trusted-types#hdr-automagic).
- safesql - A tagged template (<code>mysql\`...\`</code>) that understands [Postgres](https://www.npmjs.com/package/safesql#pg)'s & [MySQL](https://www.npmjs.com/package/safesql#mysql)'s query grammar to prevent [SQL injection](https://www.oreilly.com/library/view/securing-node-applications/9781491982426/ch01.html#idm140399946848800).
- sh-template-tag - A tagged template (<code>sh\`...\`</code>) that understands Bash syntax so prevents [shell injection](https://www.oreilly.com/library/view/securing-node-applications/9781491982426/ch01.html#idm140399951358480).
-
Newsletters
- Node.js Security newsletter - JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.
Programming Languages
Categories
npm and JavaScript specific security incidents and supply chain security issues
277
Static Code Analysis
23
Security Hardening
23
Vulnerabilities and Security Advisories
15
Articles
13
Input Validation & Output Encoding
8
Books
7
Protestware supply chain security issues
7
Web Framework Hardening
6
Roadmaps
5
Hacking Playground
4
CSRF
3
Secure Composition
3
GitHub Actions and CI/CD Security
2
Research Papers
2
Dynamic Application Security Testing
2
Newsletters
1
Sub Categories
Keywords
security
15
javascript
9
npm
9
nodejs
6
security-tools
5
owasp
3
fastify
3
security-audit
3
vulnerabilities
3
sast
3
static-analysis
3
node
3
fastify-plugin
3
hacking
2
xss
2
lint
2
supply-chain-security
2
linter
2
python
2
pypi
2
rate-limiting
2
appsec
2
security-scanner
2
owasp-top-ten
2
csrf
2
devsecops
2
sanitizer
1
prevent-xss-attacks
1
mathml
1
html
1
svg
1
environment
1
validation
1
fastify-library
1
json-parser
1
code-analysis
1
docker
1
heroku
1
nodegoat
1
owasp-zap
1
confusion-detection
1
infosec
1
java
1
maven
1
namespaces
1
php
1
sdl
1
visual-studio-code-extension
1
visual-studio-extension
1
lockfile
1