Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
minimist Prototype Pollution and Its Ripple Effect Across...
CVE-2020-7598 is a prototype pollution bug in minimist that let attackers taint Object.prototype, rippling through thousands of npm dependents.
lodash zipObjectDeep Prototype Pollution (CVE-2020-8203)
CVE-2020-8203 is a prototype pollution flaw in lodash's zipObjectDeep, affecting versions before 4.17.19. Here's the impact, timeline, and how to remediate it.
The coa and rc npm Maintainer Account Hijack Incident
How the coa and rc npm hijack let attackers seize maintainer accounts on two packages with 20M+ weekly downloads to push Windows password-stealing malware.
npm prototype pollution trends report 2025
Safeguard's 2025 analysis of npm prototype pollution advisories reveals rising volume, deeper transitive exposure, and why reachability—not CVSS alone—now separates real risk from noise.
State of npm supply chain attacks
Maintainer phishing, self-propagating worms, and mass-download packages compromised: a look at the npm supply chain attack trends reshaping open source risk.
Go's 'go get' Remote Code Execution via Crafted Import Pa...
A deep dive into CVE-2018-16873, the Go 'go get' remote code execution vulnerability caused by crafted import paths and command injection in DVCS fetches.
Malicious npm packages targeting developers in 2025
A year-end look at 2025's npm supply chain attacks—chalk/debug phishing, the Shai-Hulud worm, and industrialized malware campaigns—and how to defend against them.
Go's 'go get' Directory Traversal via GOPATH Package Path...
CVE-2018-16874: a directory traversal flaw in Go's go get let malicious GOPATH import paths with curly braces write files outside the workspace.
npm typosquatting campaigns roundup
A roundup of npm typosquatting campaign patterns, from dependency confusion to AI-tooling lookalikes, and how teams can detect exposure fast.
Composer Arbitrary Code Execution via Platform Config Han...
CVE-2021-41116 let malicious composer.json platform config values inject PHP code into Composer autoload files, causing code execution on install.
npm postinstall script malware trends
npm postinstall script malware surged 61% in H1 2026. Here's how attackers weaponize lifecycle hooks — and how to detect and stop them.
Packagist's GitHub Webhook Flaw That Could Have Poisoned ...
A 2022 Packagist webhook vulnerability let a crafted GitHub branch name trigger command injection on Packagist's servers, threatening the entire PHP/Composer supply chain.