Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

PyPI malware campaigns targeting machine learning and dat...

PyPI malware ML packages have hit PyTorch and Ultralytics YOLO via dependency confusion and CI/CD compromise. What happened, and how to defend your ML supply chain.

Jan 25, 20269 min read
Open Source Security

npm supply chain attacks via malicious postinstall scripts

How a single postinstall hook in a compromised npm package can run malware at install time, real incidents from 2018-2025, and how to defend against it.

Jan 25, 20267 min read
Open Source Security

package-lock.json integrity checks and the npm audit work...

A step-by-step guide to verifying package-lock.json integrity, running npm audit correctly, and scanning Node.js dependencies for tampering and vulnerabilities.

Jan 24, 20268 min read
Open Source Security

npm dependency confusion attacks against private package ...

How npm dependency confusion lets attackers hijack internal package names on public registries — and why private npm registry security gaps still leave teams exposed.

Jan 23, 20267 min read
Open Source Security

npm Mandatory 2FA for Publishing: How the November 2025 Rollout Hardened the Registry

After the Shai-Hulud worm compromised more than 500 npm packages in September 2025, GitHub published a revised timeline forcing FIDO 2FA, 90-day token caps, and disabled token publishing by default. Here is the defender view.

Jan 22, 20266 min read
Open Source Security

Maven and Gradle dependency supply chain attacks in the J...

How attackers exploit Maven Central and the Gradle Plugin Portal — dependency confusion, malicious artifacts, and plugin takeovers — and how to defend Java builds.

Jan 22, 20267 min read
Open Source Security

npm Provenance Statements in Practice (2026)

A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.

Jan 22, 20266 min read
Open Source Security

Auditing Spring Boot dependencies with OWASP Dependency-C...

A step-by-step spring boot dependency audit using OWASP Dependency-Check and Snyk, from Maven setup to CI automation and finding reconciliation.

Jan 21, 20267 min read
Open Source Security

CVE analysis: critical vulnerabilities in open source fin...

Log4Shell, Spring4Shell, and the Struts flaw behind Equifax: real CVEs still lurking in banking and fintech open source stacks, with fixes and detection tips.

Jan 3, 20268 min read
Open Source Security

How to manage open source risk in telecom OSS/BSS softwar...

A practical guide to managing telecom OSS/BSS open source risk—from SBOM inventory to dependency scanning—so carrier billing and network software stays secure.

Dec 25, 20258 min read
Open Source Security

How to vet open source software before deployment in tele...

A seven-step process for vetting open source telecom core network components — SBOMs, signature verification, protocol fuzzing, and procurement sign-off — before they reach production.

Dec 24, 20257 min read
Open Source Security

Open source dependency risk in e-commerce platforms (Mage...

A practical guide to finding and fixing e-commerce platform dependency risk across Magento plugins, WooCommerce extensions, and Shopify apps before attackers do.

Dec 23, 20257 min read
Open Source Security (Page 11) — Supply Chain Security Blog | Safeguard