Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
Dependency Confusion Attacks Five Years Later: Are Enterp...
Five years after Alex Birsan's $130K dependency confusion disclosure, real attacks like PyTorch's torchtriton incident show the flaw is still live. Here's what's actually fixed.
Why Malicious Package Counts Are Rising Faster Than Detec...
Malicious packages hit 245,000+ in 2023 alone, outpacing 2019-2022 combined. Here's why detection tooling can't keep up, and how the gap actually closes.
Post-Install Scripts: The Overlooked Execution Point Atta...
Postinstall scripts run automatically on `npm install` with full user privileges—no review required. Here's how attackers exploit them, from ua-parser-js to Shai-Hulud.
Protestware and Sabotage: When Maintainers Turn Against T...
Protestware turns trusted maintainers into insider threats. See how node-ipc, colors.js, and left-pad became sabotage vectors, and how Safeguard catches the next one.
Credential-Stealing Packages: What They Target and How Th...
Credential-stealing packages harvest env vars, browser passwords, and npm tokens at install time. Here's how ctx, W4SP, and Shai-Hulud actually work.
The Economics of Publishing Fake Packages at Scale
Publishing a malicious package costs an attacker almost nothing while payouts run into the millions. Here's the cost-benefit math behind fake packages — and how to break it.
How Package Takeover via Maintainer Account Compromise Ac...
Attackers don't hack npm's servers — they phish or socially engineer maintainers. Here's how account takeover turns trusted packages into malware.
Supply Chain Worming: Self-Propagating Malicious Packages...
How the Shai-Hulud npm worm self-propagated across 500+ packages in 48 hours by stealing tokens and republishing itself — and how to stop the next one.
Reconstructing a Real-World Dependency Confusion Incident...
A step-by-step reconstruction of a real dependency confusion attack, from malicious package upload to remediation, and how to defend your pipeline.
Rust Memory Safety: A CVE Trend Analysis
Analysis of CVE data across Rust crates and std releases, measuring how memory safety affects vulnerability shape, density, and unsafe-block concentration.
Slopsquatting in the AI Era: Registering Packages AI Mode...
AI coding assistants hallucinate package names at rates as high as 19.7% — and attackers are registering those exact names. Here's how slopsquatting works and how to stop it.
The Unpaid Labor Behind Critical Internet Infrastructure
Open source runs on unpaid maintainer labor. From xz-utils to Log4Shell to colors.js, we examine why burnout became a top supply chain security risk.