Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
Go module proxy vulnerability trends
A backdoor hid in Go's module proxy for 3+ years, and 63,000+ orphaned packages remain cached. Inside 2025's Go supply chain reckoning.
Malicious Go modules found on GitHub
Malicious Go modules keep surfacing on GitHub, exploiting the ecosystem's lack of a curated registry. Here's the pattern — and how to defend against it.
Go vulnerability database (govulncheck) trend report
Go's vulnerability database is scaling fast and stdlib CVEs are clustering. Here's what govulncheck vulnerability trends reveal about reachability, typosquats, and risk.
Typosquatting in the Go module ecosystem
Typosquatting is surging across the Go module ecosystem, exploiting decentralized import paths and an immutable checksum database that makes takedowns nearly meaningless.
Most vulnerable Go packages report
Safeguard's 2026 analysis ranks the most vulnerable Go packages by exposure-weighted risk, revealing why a handful of core modules drive most CVE impact.
Kubernetes and Go supply chain risk report
Kubernetes leans on thousands of Go modules. New analysis shows how typosquats and vendored code turn that dependency into real supply chain risk.
Go binary malware distribution trends
Go binaries are now a preferred malware delivery format — statically linked, cross-platform, and hard to fingerprint. Here's what the trend data shows.
Cloud-native Go services vulnerability landscape
A runc escape trilogy, a gRPC-Go bypass, and a lingering SSH auth flaw reveal how concentrated risk in Go now shapes the cloud native vulnerability landscape.
Go standard library CVE trend report
A trend analysis of Go standard library CVEs from HTTP/2 Rapid Reset to crypto/x509 parsing bugs — and why "it's stdlib" is not a safe-harbor assumption.
Go module checksum database bypass risks
Go's GOSUMDB checksum verification is meant to be on by default, but Safeguard's research found roughly 1 in 6 CI pipelines quietly disable it.
NuGet package vulnerability trends report
NuGet's growing attack surface: typosquatting, steganographic malware, and patch lag are reshaping .NET supply chain risk in 2026 — here's what the data shows.
Malicious NuGet packages targeting .NET developers
A fresh wave of malicious NuGet packages is hitting .NET developers via typosquatting, MSBuild-triggered code, and IL weaving. Here's what's happening and how to respond.