Skip to content

Update NPM Security Cheat Sheet #1856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 21, 2025
Merged

Update NPM Security Cheat Sheet #1856

merged 5 commits into from
Oct 21, 2025

Conversation

Charca
Copy link
Contributor

@Charca Charca commented Oct 14, 2025

This PR fixes issue #1853

  1. Updated Section 3 to add a suggestion to disable lifecycle scripts by default and use an allowlist, with an example.
  2. Updated Section 10 to make it all about typosquatting and slopsquatting. Removed the details about the rules npm uses for naming conventions, which didn't seem to add much useful information and distracted from the main point of the section (happy to bring it back if you think it's useful).
  3. Added Section 11 about trusted publishing.
  4. Some light cleanup and formatting.

AI Tool Usage Disclosure (required for all PRs)

Please select one of the following options:

  • I have NOT used any AI tool to generate the contents of this PR.
  • I have used AI tools to generate the contents of this PR. I have verified
    the contents and I affirm the results. The LLM used is gpt-5
    and the prompt used is summarize the official trusted publishing documentation

Thank you again for your contribution 😃

mackowski
mackowski previously approved these changes Oct 20, 2025
View reviewed changes
Copy link
Collaborator

@mackowski mackowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

szh
szh reviewed Oct 20, 2025
View reviewed changes
Copy link
Collaborator

@szh szh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor comment, otherwise looks fantastic. I especially appreciate the info on trusted publishing given all the recent attacks caused by long lived credentials.

cheatsheets/NPM_Security_Cheat_Sheet.md Outdated

Typosquatting is an attack that relies on mistakes made by users, such as typos. With typosquatting, bad actors publish malicious modules to the npm registry with names that look much like existing popular modules. These malicious packages exploit common typing errors or visual similarities to trick developers into installing them instead of the legitimate packages they intended to use.

We have been tracking tens of malicious packages in the npm ecosystem; similar attacks have been seen on the PyPi Python registry as well. Some of the most notable incidents include [cross-env](https://snyk.io/vuln/npm:crossenv:20170802), [event-stream](https://snyk.io/vuln/SNYK-JS-EVENTSTREAM-72638), and [eslint-scope](https://snyk.io/vuln/npm:eslint-scope:20180712).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Who's "we"? It looks like it refers to Snyk, the authors of the material this cheat sheet was based on. Since it's being published in a non-Snyk project, I think we should make this in third person.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion! Fixed in 8019b1f

@mackowski mackowski requested a review from szh October 21, 2025 08:14
szh
szh approved these changes Oct 21, 2025
View reviewed changes
Copy link
Collaborator

@szh szh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@szh szh merged commit 863bb04 into OWASP:master Oct 21, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@szh szh szh approved these changes

@mackowski mackowski mackowski approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Charca @szh @mackowski