PackageFix / Blog

PackageFix Blog — Dependency Security Guides

Supply chain security, CVE analysis, and dependency management guides for developers.

Supply Chain Security

5 Supply Chain Attacks Hiding in Your package.json

npm audit misses Glassworm Unicode injection, zombie packages, typosquatting, build script injection, and CISA KEV entries. Here's what to look for.

March 22, 2026 · 8 min read
Weekly CVE Digest

Weekly CVE Digest — March 2026

This week's most critical CVEs across npm, PyPI, Ruby, PHP, Go, Rust, and Java. Log4Shell still being exploited. New HTTP/2 rapid reset variants.

March 22, 2026 · 5 min read

CVE Reference Pages

Dedicated pages for the highest-impact CVEs — with fix guides for every affected ecosystem.

CVE-2021-44228 — Log4Shell

Apache Log4j CRITICAL RCE

CVE-2022-22965 — Spring4Shell

Spring Framework CRITICAL RCE

CVE-2022-42889 — Text4Shell

Commons Text CRITICAL RCE

CVE-2023-44487 — HTTP/2 Reset

Multi-ecosystem HIGH DoS

CVE-2022-1471 — SnakeYAML

Java CRITICAL RCE

All CISA KEV Packages

Full actively exploited list