April 30, 2026 · View on GitHub

A curated list of awesome Node.js Security resources.

Screenshot 2024-09-12 at 20 14 27

Learn Node.js Secure Coding techniques and best practices from Liran Tal

Tools
Data Sources
Security Incidents
Educational
Companies

Tools

Web Framework Hardening

Helmet - Helmet helps you secure your Express apps by setting various HTTP headers.
koa-helmet - koa-helmet helps you secure your Koa apps by setting various HTTP headers.
blankie - CSP plugin for hapi.
fastify-helmet - fastify-helmet helps you secure your fastify apps by setting important security headers.
nis2-express-middleware - Comprehensive Express.js middleware for EU NIS2 compliance (logging, active defense, and secure defaults).
nuxt-security - 🛡 Security Module for Nuxt based on OWASP Top 10 and Helmet.
reporting-api - Setup and collect CSP, Reporting API v0 and v1 reports to reliabily parse them to be processed by the user

GitHub Actions and CI/CD Security

New dependencies advisor - GitHub Action adding comments to pull requests with package health information about newly added npm dependencies.
OpenSSF Scorecard Monitor - Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts.

Static Code Analysis

eslint-plugin-security - ESLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
tslint-plugin-security - TSLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
safe-regex - detect potentially catastrophic exponential-time regular expressions by limiting the star height to 1.
vuln-regex-detector - This module lets you check a regex for vulnerability. In JavaScript, regular expressions (regexes) can be "vulnerable": susceptible to catastrophic backtracking. If your application is used on the client side, this can be a performance issue. On the server side, this can expose you to Regular Expression Denial of Service (REDOS).
regolith - Regex library for TypeScript made to prevent ReDoS attacks I made TypeScript bindings for the Rust Regex library to prevent Regular Expression Denial of Service attacks.
git-secrets - Prevents you from committing secrets and credentials into git repositories.
DevSkim - DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities. Also has support for CLI so it can be integrated into CI/CD pipeline.
ban-sensitive-files - Checks filenames to be committed against a library of filename rules to prevent storing sensitive files in Git. Checks some files for sensitive contents (for example authToken inside .npmrc file).
NodeJSScan - A static security code scanner for Node.js applications. Including neat UI that can point where the issue is and how to fix it.
NodeSecure CLI - Node.js CLI that allow you to deeply analyze the dependency tree of a given npm package or a directory.
Trust But Verify - TBV compares an npm package with its source repository to ensure the resulting artifact is the same.
lockfile-lint - lint lockfiles for improved security and trust policies to keep clean from malicious package injection and other insecure configurations.
pkgsign - A CLI tool for signing and verifying npm and yarn packages.
semgrep - Open-source, offline, easy-to-customize static analysis for many languages. Some others on this list (NodeJSScan) use semgrep as their engine.
npm-scan - An extensible, heuristic-based vulnerability scanning tool for installed npm packages.
js-x-ray - JavaScript and Node.js SAST scanner capable of detecting various well-known malicious code patterns (Unsafe import, Unsafe stmt, Unsafe RegEx, encoded literals, minified and obfuscated codes).
cspscanner - CSP Scanner helps developers and security experts to easily inspect and evaluate a site’s Content Security (CSP).
eslint-plugin-anti-trojan-source - ESLint plugin to detect and prevent Trojan Source attacks from entering your codebase.
sdc-check - Small tool to inform you about potential risks in your project dependencies list
fix-lockfile-integrity - A CLI tool to fix weak integrity hash (sha1) to a more secure integrity hash (sha512) in your npm lockfile.
Bearer - A CLI tool to find and help you fix security and privacy risks in your code according to OWASP Top 10.
GuardDog - GuardDog is a CLI tool to Identify malicious PyPI and npm packages
repolyze - Analyze a git source code repository for health signals and project vitals

Dynamic Application Security Testing

PurpleTeam - A security regression testing SaaS and CLI, perfect for inserting into your build pipelines. You don’t need to write any tests yourself. purpleteam is smart enough to know how to test, you just need to provide a Job file which tells purpleteam what you want tested.

Input Validation & Output Encoding

node-esapi - node-esapi is a minimal port of the ESAPI4JS (Enterprise Security API for JavaScript) encoder.
escape-html - Escape string for use in HTML.
js-string-escape - Escape any string to be a valid JavaScript string literal between double quotes or single quotes.
validator - An npm library of string validators and sanitizers.
xss-filters - Just sufficient output filtering to prevent XSS!
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
envalid - Envalid is a small library for validating and accessing environment variables in Node.js.
data-guardian - data-guardian is a tiny, highly customizable lib which can mask sensitive data in arbitrary entities and can help with OWASP Protect Data everywhere.
is-path-inside-secure - is-path-inside-secure is a symlink-aware implementation of the popular is-path-inside npm package, designed to help prevent path-traversal vulnerabilities.
spotlighting-datamarking - spotlighting-datamarking provides a lightweight implementation of the Spotlighting paper’s techniques, offering data delimiting, datamarking, and optional Base64 encoding to help separate data from instructions and reduce susceptibility to indirect prompt-injection attacks.

Secure Composition

pug-plugin-trusted-types - Pug template plugin makes it easy to securely compose HTML from untrusted inputs and provides CSP & CSRF automagic.
safesql - A tagged template (mysql`...`) that understands Postgres's & MySQL's query grammar to prevent SQL injection.
sh-template-tag - A tagged template (sh`...`) that understands Bash syntax so prevents shell injection.

CSRF

csurf - Node.js CSRF protection middleware.
crumb - CSRF crumb generation and validation for hapi.
fastify-csrf - A plugin for adding CSRF protection to fastify.

Vulnerabilities and Security Advisories

npq - Safely install packages with npm or yarn by auditing them as part of your install process.
snyk - Snyk helps you find, fix and monitor known vulnerabilities in Node.js npm, Ruby and Java dependencies, both on an ad hoc basis and as part of your CI (Build) system.
node-release-lines - Introspection API for Node.js release metadata. Provides information about release lines, their relative status along with details of each release.
auditjs - Audits an NPM package.json file to identify known vulnerabilities using the OSSIndex.
npm-audit - Runs a security audit based on your package.json using npm.
npm-audit-resolver - Manage npm-audit results, including options to ignore specific issues in clear and auditable way.
gammaray - Runs a security audit based on your package.json using the Node.js Security Working Group vulnerability data.
patch-package - Allows app authors to create fixes for npm dependencies (in node_modules) without forking or waiting for merged PRs, by creating and applying patches.
check-my-headers - Fast and simple way to check any HTTP Headers.
clawsearch-guard - Pre-install security check for AI agent skills and npm packages. Runs Trust Score analysis before installation to detect malicious patterns, data exfiltration, and prompt injection.
is-website-vulnerable - finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.
joi-security - Detect security flaws in Joi validation schemas.
confused - Tool to check for dependency confusion vulnerabilities in multiple package management systems. See Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies for reference on the reasoning for this tool.
nodejs-cve-checker - A simple tool that validates CVEs were published to NVD after a Node.js Security Release.
zizmor - Static analysis for GitHub Actions and CI/CD workflows.
releaserun - Scan project dependencies for end-of-life runtimes, known CVEs, and version health grades across 300+ products.

Security Hardening

hijagger - Checks all maintainers of all npm and PyPI packages for hijackable packages through domain re-registration.
snync - Mitigate security concerns of Dependency Confusion supply chain security risks.
NopPP - No Prototype Pollution - Tiny helper to protect against Prototype Pollution vulnerabilities in your application regardless if they introduced in your own code or in 3rd-party code.
anti-trojan-source - Detect trojan source attacks that employ unicode bidi attacks to inject malicious code.
express-limiter - Rate limiting middleware for Express applications built on redis.
limits - Simple express/connect middleware to set limit to upload size, set request timeout etc.
rate-limiter-flexible - Fast, flexible and friendly rate limiter by key and protection from DDoS and brute force attacks in process Memory, Cluster, Redis, MongoDb, MySQL, PostgreSQL at any scale. Express and Koa examples included.
tor-detect-middleware Tor detect middleware for express
express-enforces-ssl Enforces SSL for Express based Node.js projects. It is however highly advised that you handle SSL and global HTTP rules in a front proxy.
bourne JSON.parse() drop-in replacement with prototype poisoning protection.
fastify-rate-limit A low overhead rate limiter for your routes.
secure-json-parse JSON.parse() drop-in replacement with prototype poisoning protection.
express-brute A brute-force protection middleware for express routes that rate-limits incoming requests, increasing the delay with each request in a fibonacci-like sequence.
allowed-scripts Execute allowed npm install lifecycle scripts.
ses A shim for Hardened JavaScript, a language mode that mitigates prototype pollution attacks and supports safely confining multiple tenants in a single JavaScript realm, endowing each other with hardened API objects.
lavamoat Mitigates supply chain attacks using ses to confine third-party dependencies and limit their access to host powers based on policies generated by trust-on-first-use static analysis.
moddable Implements Hardened JavaScript as the security model for embedded systems.
is-my-node-vulnerable - package that checks if your Node.js installation is vulnerable to known security vulnerabilities.
@lavamoat/preinstall-always-fail - npm package to assert if preinstall or postinstall scripts are running in your npm or yarn workflows.
FCaptcha - Self-hosted CAPTCHA with behavioral analysis that detects bots, vision AI agents, and headless browsers. Includes Node.js server with SHA-256 proof of work.
are-scripts-enabled - npm package to assert if preinstall or postinstall scripts are running in your npm or yarn workflows.
@w-r-l/verify - Verify cryptographic integrity of WACZ web archive bundles. Checks Ed25519 signatures and RFC 3161 timestamps.
pompelmi - Local-first file upload scanning for Node.js to inspect untrusted files before storage.
verifyfetch - SRI-based integrity verification and resumable downloads for large files. Protects against CDN compromise and supply chain attacks in the browser.

Data Sources

resource - A structured list of all the Node.js versions, the binary builds, the dependencies they include (npm, zlib, openssl) along with their versions, whether the release is a security release and whether it is an LTS.
resource - The nodejs/secuirty-wg GitHub repository maintains a /vuln/core directory with all the CVEs applied to Node.js runtime versions.

Security Incidents

Protestware supply chain security issues

The following is a list of known protestware spanning across other ecosystems too:

PyPI package author of atomicwrites deletes his own code
left-pad
event-source-polyfill, Mariusz Nowak and their es5-ext, Evan Jacobs and their styled-components, node-ipc, peacenotwar, nestjs-pino - all with regards to the Russian-Ukraine crisis.
The Open Souce Peace organization maintains a list of identified protestware incidents.

Articles covering the topics around protestware are:

npm and JavaScript specific security incidents and supply chain security issues

Collection of security incidents that happened in the Node.js, JavaScript and npm related communities with supporting articles:

Date	Name	Reference Links
2026 Mar 31	Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT	Snyk, Axios post-mortem on GitHub issue, Mandaint report on UNC1069 involvement in Axios compromise
2025 Sep 25	Malicious MCP Server on npm postmark-mcp Harvests Emails	Snyk
2025 Sep 15	Shai-Hulud npm package malware	Snyk, ReversingLabs, Aikido
2025 Sep 8	Qix maintainer compromised via phishing campaign causing malware in debug chalk and many other packages	Snyk
2025 Aug 27	Nx package malicious version compromise and AI coding tools weaponization of LLM and agents	Snyk
2025 Jul 25	Toptal packages were compromised leading to GitHub Token theft and systems destroyed	Arstechnica
2025 Jul 19	ESLint Config Prettier maintainers get compromised, spread malware and infect other maintainers too	Snyk, Socket, Safedep
2025 Jun 25	BeaverTail North Korean group drops 35 npm malware packages	Socket
2025 Jun 12	npm package `@react-native-aria/focus` and other `@react-native-area` namespace packages were found to be malicious	Aikido, Bleeping Computer
2025 May 15	`os-info-checker-es6` npm package leverages unicode steganography in Google calendar as command and control	Veracode
2025 May 8	Package rand-user-agent with 45,000 downloads compromised in supply chain attack for malicious RAT	Aikido
2025 May 7	Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor	Socket
2025 May 2	Typosquatting popular .NET, Python and other package names	Socket
2025 Apr 15	Russian hackers typosquat express-exp	Safety
2025 Apr 10	pdf-to-office malicious npm package	ReversingLabs
2025 Apr 5	North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages	socket
2025 Mar 26	Malicious packages `ethers-provider2` and `ethers-providerz`	ReversingLabs
2025 Mar 11	North Korean Lazarus group targets npm packages is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator	socket
2025 Feb 26	Malicious Code Hidden in NPM Packages	cycode
2025 Jan 14	npm command confusion	Checkmarx
2025 Jan 13	Typosquatted packages for Chalk and Chokidar harbor backdoor trojans	socket
2024 Dec 20	`@rspack/core` and `@rspack/cli` at 400k weekly downloads were compromised due to npm token theft and used to publish malicious packages for monero cryptocurrency mining	rspack release notes, sonatype, Socket
2024 Dec 11	Malicious npm Package `@typescript-eslint/eslint-plugin` exfiltrates data in typosquatting attack	Socket
2024 Dec 3	Supply Chain Attack Detected in Solana's web3.js Library `@solana/web3.js`	Socket
2024 Nov 12	"node-request-ip", "request-ip-check" and "request-ip-validator" are fake IP checker utilities on npm target cryptocurrency and install trojans	sonatype
2024 Oct 31	Lottie Player npm package compromised for crypto wallet theft	Snyk
2024 Oct 31	Typosquat campaign targeting Puppeteer, Bignum.js, and some 137 other cryptocurrency libraries	Phylum
2024 Oct 28	Dependency confusion campaign used in an npm supply chain security leveraged to breach Fortune 500 company	https://www.landh.tech/blog/20241028-hidden-supply-chain-links/
2024 Oct 4	`lodasher`, `them4on`, `laodasher` counterfeit npm packages aimed to backdoor Windows users with a modified AnyDesk binary	Sonatype
2024 Jul 16	`string-width-cjs` and other Suspicious Maintainer Unveils Threads of npm Supply Chain Attack	Snyk
2024 Jul 11	`noblox-ts` starjacking and QuasarRAT on npm	stacklok
2024 Jun 17	`ua-parser-js` switches to AGPL+commercial in "rug pull" move	Adventures in Nodeland
2024 Jun 11	`cors-parser` npm package hides cross-platform backdoor in PNG files	Sonatype
2024 Jun 03	npm regsitry cache poisoning attack	landh.tech
2024 Apr 26	Fake job interviews target developers with new Python backdoor	Bleeping Computer
2024 Apr 16	Tea tokens and developers abusing OSS infrastructure for monetization	Sonatype
2024 Feb 6	noblox.js-proxy-server malicious npm Package Masquerades as Noblox.js, Targeting Roblox Users for Data Theft	Socket
2024 Jan 25	npm flooded with 748 packages that store movies	Sonatype
2024 Jan 3	An `everything` package with a registry-wide dependencies prevents from packages to be unpublished	SC Media
2023 Dec 14	Ledger supply chain security attack introducing crypto drainer malware (@ledgerhq/connect-kit)	Sonatype, Tweets 1 2 3 4 5 6 7 8
2023 Sep 27	Spoofed Dependabot commits steal GitHub tokens and inject malware to JavaScript files	Checkmarx
2023 Jun 27	Manifest Confusion - a new publicly disclosed bug with the npm package manager demonstrating package metadata inconsistency	Darcy Clarke's blog
2023 Jun 23	North Korean attackers exploit social engineering and supply chain attacks on npm	Phylum
2023 Jun 15	Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries for bignum npm package	The Hacker News, Checkmarx
2023 Jun 06	Recommended packages by ChatGPT may be exploited for supply chain security attack vector	Vulcan
2023 Feb 16	Researchers Hijack Popular NPM Package with Millions of Downloads	Illustria on The Hacker News
2023 Feb 10	Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages, affiliated npm ecosystem evidence too	The Hacker News
2023 Jan 29	Phylum Identifies 137 Malicious npm Packages	phylum
2022 Nov 29	Invisible npm malware may hide in crafted versions and bypass npm audit's security checks	JFrog
2022 Nov 24	Phylum team captures captures malicious npm package imagecompress-mini claims to be an image compress tool	Louisw Lang on Twitter
2022 Oct 12	Aqua security discovers flaw in npm that allows disclosing of privately hosted npm packages on the registry	Aqua
2022 Oct 07	LofyGang Distributed ~200 Malicious NPM Packages to Steal Credit Card Data	TheHackerNews
2022 Sep 23	Popular Cryptocurrency Exchange dYdX Has Had Its NPM Account Hacked	Mend
2022 Jul 29	malicious packages `small-sm`, `pern-valids`, `lifeculer`, and `proc-title` target stealing credit card information and discord tokens	darkreading
2022 May 26	stolen oAuth GitHub tokens lead to npm security breach, compromised user accounts metadata, private packages, and plain-text passwords in logs	GitHub
2022 May 24	malicious npm packages exploiting dependency confusion attacks	Snyk, Snyk
2022 May 23	npm packages hijacked due to expired domains	TheRegister
2022 Apr 05	New npm Flaws Let Attackers Better Target Packages for Account Takeover	Aqua
2022 Apr 26	npm package planting	Aqua, The Hacker News
2022 Mar 31	More protestware from `styled-components`	Checkmarx Security blog
2022 Mar 18	More protestware from `es5-ext` and `event-source-pollyfill`	Snyk advisory for event-source-pollyfill, es5-ext commit, ArsTechnica
2022 March 16	`peacenotwar` module sabotages npm developers in the `node-ipc` package to protest the invasion of Ukraine	Snyk blog, Darkreading, SC Magazine
2022 Mar 7	Malicious packages caught exfiltrating data via legit webhook services	Checkmarx Security blog
2022 Feb 22	25 Malicious JavaScript Libraries due to typosquatting attacks	TheHackerNews
2022 Feb 11	2,818 npm accounts use email addresses with expired domains	TheRecord
2021 Dec 08	17 JavaScript libraries contained malicious code to collect and steal Discord access tokens and environment variables from users’ computers -	TheRecord
2021 December 01	The Bladabindi trojan and RAT malware	Sonatype
2021 November 04	coa and rc packages - Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world	Bleepingcomputer, the record, npm tweet, npm tweet for rc.
2021 October 27	noblox.js-proxy and noblox.js - typosquatted npm package that target users of official roblox API and SDK npm package (noblox.js)	the register
2021 October 22	ua-parser-js - Versions of a popular NPM package named ua-parser-js was found to contain malicious code	Cybersecurity and Infrastructure Security Agency (CISA), github issue, IOCs, portswigger, theregister
2021 September 02	pac-resolver - can enable threat actors on the local network to run arbitrary code within your Node.js process whenever it attempts to make an HTTP request	arstechnica.com
2021 August 07	npm package ownership process firing back and exposing potential vectors for supply chain security risks.	Twitter
2021 April 13	New Linux, macOS malware hidden in fake Browserify NPM package: web-browserify	Bleepingcomputer.
2020 December 02	jdb.js - db-json.js - malicious npm packages caught installing remote access trojans.	zdnet.com, Bleepingcomputer.
2020 November 09	discord malicious npm package - Npm package caught stealing sensitive Discord and browser files	sonatype, zdnet.
2020 November 03	twilio-npm - malicious npm package opens backdoors on programmers' computers.	zdnet
2020 August 29	fallguys - malicious package stealing sensitive files.	zdnet
2020 April 27	is-promise - one-liner library breaks an ecosystem.	Forbes Lindesay - Maintainer post-mortem, snyk's postmortem
2019 August 22	bb-builder - malicious package targeting Windows systems to exfiltrate information and send to a remote service.	Snyk, Reversing Labs, Bleeping Computer
2019 June 05	EasyDEX-GUI - malicious code found in npm package event-stream.	npm, snyk, komodo announcement
2018 November 27	event-stream - malicious code found in npm package event-stream.	github issue snyk, snyk's postmortem, schneid, intrinsic, npm, jayden, hillel wayne's postmortem
2018 July 12	eslint - malicious packages found in npm package eslint-scope and eslint-config-eslint.	github issue, eslint tweet, eslint's postmortem, nodesource's postmortem, npm's statement
2018 May 02	getcookies - malicious package getcookies gets embedded in higher-level express related packages.	GitHub issue, npm, bleepingcomputer.com, Snyk’s getcookies vulnerability page, Hacker News
2018 Feb 13	maintainer account with access to conventional-changelog npm package compromised and published malware for 1 day and 11 hours	conventional-changelog repository update
2017 August 02	crossenv - malicious typosquatting package crossenv steals environment variables.	CJ blog on typosquat packages, Typosquatting research paper, bleepingcomputer.com, Snyk’s crossenv vulnerability page, Hacker News
2016 March 22	left-pad - how one developer broke Node, Babel and thousands of projects in 11 lines of JavaScript.	left-pad.io, The Register, qurtaz.

Follow-up notes:

A resource for malicious incidents is BadJS - a repository of malicious JavaScript that has been found in websites, extensions, npm packages, and anywhere else JavaScript lives.
npm zoo is an archive keeping track of the original malicious packages source code for educational purposes.

Educational

Newsletters

Node.js Security newsletter - JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.

Articles

Research Papers

Deep dive into Visual Studio Code extension security vulnerabilities

Books

Secure Your Node.js Web Application: Keep Attackers Out and Users Happy by Karl Duuna, 2016
Essential Node.js Security by Liran Tal, 2017 - Hands-on and abundant with source code for a practical guide to Securing Node.js web applications.
Securing Node JS Apps by Ben Edmunds, 2016 - Learn the security basics that a senior developer usually acquires over years of experience, all condensed down into one quick and easy handbook.
Web Developer Security Toolbox - Bundled Node.js and Web Security Books.
Thomas Gentilhomme book: Become a Node.js Developer
Node.js Secure Coding: Defending Against Command Injection Vulnerabilities
Node.js Secure Coding: Prevention and Exploitation of Path Traversal Vulnerabilities
Node.js Secure Coding: Mitigate and Weaponize Code Injection Vulnerabilities

Roadmaps

Node.js Developer Roadmap

Companies

Snyk - A developer-first solution that automates finding & fixing vulnerabilities in your dependencies.
Datadog ASM - Application security monitoring with real-time threat detection and protection (formerly Sqreen, acquired 2021).
NodeSource - Mission-critical Node.js applications. Provides N|Solid and Node Certified Modules.
GuardRails - A GitHub App that gives you instant security feedback in your Pull Requests.
NodeSecure - An organization of developers building free and open source JavaScript/Node.js security tools.

Hacking Playground

OWASP NodeGoat - The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
OWASP Juice Shop - The OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.
DomGoat - Client XSS happens when untrusted data from sources ends up in sinks. Information and excercises on different sources, different sinks and example of XSS occuring due to them in the menu on the left-hand side.

Contributing

Found an awesome project, package, article, other type of resources related to Node.js Security? Send me a pull request! Just follow the guidelines. Thank you!

say hi on Twitter

Contents