Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

colors.js and faker.js: When Maintainer Burnout Becomes a Supply Chain Crisis

Marak Squires deliberately broke two of npm's most popular packages to protest the exploitation of open source maintainers. The fallout exposed how fragile our dependency chains really are.

Jan 10, 20225 min read
Open Source Security

The ua-parser-js npm Hijack of October 2021

An npm package with 8 million weekly downloads shipped a cryptominer and credential stealer for four hours. Here is the exact sequence of events.

Oct 25, 20216 min read
Open Source Security

Python PyPI Malware Campaigns in 2021

Malicious packages on PyPI surged in 2021, targeting developers with credential stealers, backdoors, and data exfiltration. Here's what the campaigns look like and how to defend against them.

Oct 15, 20215 min read
Open Source Security

npm colors and faker Sabotage: When Maintainers Revolt

The maintainer of colors and faker deliberately corrupted his own packages, affecting thousands of projects. It raised uncomfortable questions about open source sustainability and trust.

Sep 15, 20216 min read
Open Source Security

Open Source Security: State of the Union 2021

Open source powers the modern internet, but its security model is under strain. Here's the 2021 landscape of open source risk, from funding to maintainer burnout to malicious packages.

Aug 1, 20216 min read
Open Source Security

npm Package ua-parser-js Compromised: 8 Million Weekly Downloads Weaponized

Attackers hijacked the ua-parser-js npm package account and published malicious versions containing cryptominers and password stealers. The package gets 8 million downloads per week.

Jul 15, 20215 min read
Open Source Security

Rust Foundation Formation: Security Implications

The Rust Foundation launched February 8, 2021. Here is what its formation actually changed for the security of Rust and downstream ecosystems.

Feb 10, 20216 min read
Open Source Security

event-stream: The Copay Attack That Rewrote npm

The 2018 event-stream incident was npm's first high-profile maintainer-handoff attack. The details still shape how we evaluate package trust.

Nov 27, 20186 min read
Open Source Security (Page 34) — Supply Chain Security Blog | Safeguard