Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

minimist Prototype Pollution and Its Ripple Effect Across...

CVE-2020-7598 is a prototype pollution bug in minimist that let attackers taint Object.prototype, rippling through thousands of npm dependents.

Dec 2, 20258 min read
Open Source Security

lodash zipObjectDeep Prototype Pollution (CVE-2020-8203)

CVE-2020-8203 is a prototype pollution flaw in lodash's zipObjectDeep, affecting versions before 4.17.19. Here's the impact, timeline, and how to remediate it.

Dec 1, 20258 min read
Open Source Security

The coa and rc npm Maintainer Account Hijack Incident

How the coa and rc npm hijack let attackers seize maintainer accounts on two packages with 20M+ weekly downloads to push Windows password-stealing malware.

Dec 1, 20256 min read
Open Source Security

npm prototype pollution trends report 2025

Safeguard's 2025 analysis of npm prototype pollution advisories reveals rising volume, deeper transitive exposure, and why reachability—not CVSS alone—now separates real risk from noise.

Dec 1, 20257 min read
Open Source Security

State of npm supply chain attacks

Maintainer phishing, self-propagating worms, and mass-download packages compromised: a look at the npm supply chain attack trends reshaping open source risk.

Nov 30, 20257 min read
Open Source Security

Go's 'go get' Remote Code Execution via Crafted Import Pa...

A deep dive into CVE-2018-16873, the Go 'go get' remote code execution vulnerability caused by crafted import paths and command injection in DVCS fetches.

Nov 30, 20258 min read
Open Source Security

Malicious npm packages targeting developers in 2025

A year-end look at 2025's npm supply chain attacks—chalk/debug phishing, the Shai-Hulud worm, and industrialized malware campaigns—and how to defend against them.

Nov 30, 20257 min read
Open Source Security

Go's 'go get' Directory Traversal via GOPATH Package Path...

CVE-2018-16874: a directory traversal flaw in Go's go get let malicious GOPATH import paths with curly braces write files outside the workspace.

Nov 30, 20257 min read
Open Source Security

npm typosquatting campaigns roundup

A roundup of npm typosquatting campaign patterns, from dependency confusion to AI-tooling lookalikes, and how teams can detect exposure fast.

Nov 30, 20257 min read
Open Source Security

Composer Arbitrary Code Execution via Platform Config Han...

CVE-2021-41116 let malicious composer.json platform config values inject PHP code into Composer autoload files, causing code execution on install.

Nov 30, 20257 min read
Open Source Security

npm postinstall script malware trends

npm postinstall script malware surged 61% in H1 2026. Here's how attackers weaponize lifecycle hooks — and how to detect and stop them.

Nov 30, 20257 min read
Open Source Security

Packagist's GitHub Webhook Flaw That Could Have Poisoned ...

A 2022 Packagist webhook vulnerability let a crafted GitHub branch name trigger command injection on Packagist's servers, threatening the entire PHP/Composer supply chain.

Nov 30, 20256 min read
Open Source Security (Page 13) — Supply Chain Security Blog | Safeguard