Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

.NET deserialization vulnerability landscape

A look at the .NET deserialization vulnerability landscape — from the 2025 ASP.NET machine key crisis to BinaryFormatter's retirement and Telerik exploits.

Nov 15, 20257 min read
Open Source Security

NuGet typosquatting campaign report

Four disclosed NuGet typosquatting campaigns since 2024 reveal a shift toward patient, audience-specific attacks — from ICS time bombs to wallet-draining homoglyphs.

Nov 15, 20257 min read
Open Source Security

Compromised NuGet author accounts

NuGet maintainer accounts are the .NET supply chain's weakest link. Here's why account takeover beats typosquatting, and how to detect it before a CVE exists.

Nov 15, 20257 min read
Open Source Security

Most vulnerable .NET libraries report

Safeguard's H1 2026 analysis of 41,000+ .NET repos reveals a small cluster of NuGet packages driving nearly half of all vulnerability findings—and most aren't even reachable.

Nov 14, 20258 min read
Open Source Security

ASP.NET Core vulnerability trends

A data-driven look at ASP.NET Core's recurring CVE patterns — DoS in Kestrel/SignalR, deserialization bugs, and NuGet supply chain risk — and how to triage what matters.

Nov 14, 20257 min read
Open Source Security

NuGet dependency confusion risk report

NuGet's default feed-resolution behavior keeps dependency confusion risk elevated across .NET orgs. Here's what the incident history shows, and how to close the gap.

Nov 14, 20257 min read
Open Source Security

Composer package vulnerability trends report

Composer package vulnerabilities rose 34% YoY, with 60%+ arriving via transitive dependencies. Safeguard breaks down the trends and what security teams should do.

Nov 14, 20256 min read
Open Source Security

Malicious Composer packages on Packagist

Three malicious Composer package campaigns hit Packagist in under a year -- each sitting undetected for months. Here's what happened and how to catch the next one faster.

Nov 13, 20257 min read
Open Source Security

WordPress plugin vulnerability trends

WordPress plugin CVEs keep climbing and exploitation windows keep shrinking. Here's what the latest vulnerability trends mean for security teams in 2026.

Nov 13, 20257 min read
Open Source Security

PHP object injection vulnerability landscape

Industry analysis of PHP object injection vulnerability trends, gadget chains, and real-world CVEs, plus how to find exploitable deserialization paths.

Nov 13, 20258 min read
Open Source Security

Packagist typosquatting report

A report on Packagist typosquatting campaigns targeting Composer/PHP packages, how attackers exploit install hooks, and how to detect them.

Nov 13, 20257 min read
Open Source Security

npm Provenance: Adoption Tracking in Late 2025

Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.

Nov 12, 20254 min read
Open Source Security (Page 16) — Supply Chain Security Blog | Safeguard