Safeguard
Topic

Software Supply Chain Security

In-depth guides and analysis on software supply chain security from the Safeguard engineering team.

175 articles

Software Supply Chain Security

Homebrew formula security incidents

A timeline of Homebrew formula security incidents — from the 2018 Jenkins token leak to 2026's Trivy tap compromise — and what Homebrew's Tap Trust fix means for security teams.

Nov 9, 20258 min read
Software Supply Chain Security

Best software supply chain risk scoring and rating platforms

A practical, no-hype guide to choosing software supply chain risk scoring platforms — evaluation criteria plus a fair roundup of six real vendors, strengths and limitations included.

Nov 5, 20258 min read
Software Supply Chain Security

Known Vulnerabilities in Dependencies: Detection and Triage

Known vulnerabilities in dependencies aren't a detection problem — they're a triage problem. Here's how CVEs get exploited, why CVSS alone misleads, and how to prioritize fixes.

Nov 4, 20258 min read
Software Supply Chain Security

Name Confusion Attacks: Typosquatting and Brandjacking

Typosquatting and brandjacking let attackers hijack trust in package names instead of writing exploits. Here's how crossenv, PyPI's 2017 campaign, and PyTorch's torchtriton breach actually worked.

Nov 4, 20257 min read
Software Supply Chain Security

Untracked Dependencies in the Software Supply Chain

Most teams can name their direct dependencies but not the hundreds of transitive packages actually running underneath. Here's why that gap is where real supply chain attacks live.

Nov 3, 20257 min read
Software Supply Chain Security

Outdated Software Components: Quantifying the Risk

Outdated dependencies sit in nearly every codebase. Here's what Equifax and Log4Shell reveal about the real cost of unpatched software supply chain risk.

Nov 3, 20258 min read
Software Supply Chain Security

Unapproved Change Risk in the Software Supply Chain

How unreviewed code, dependency, and pipeline changes create supply chain breaches like SolarWinds and XZ Utils - and how to detect them before attackers do.

Nov 2, 20258 min read
Software Supply Chain Security

AI Bill of Materials (AI-BOM) for Model Supply Chains

An AI-BOM tracks every model, dataset, and dependency in your ML pipeline so a compromised base model or license issue can be traced in minutes, not weeks.

Nov 2, 20257 min read
Software Supply Chain Security

Video Codec Supply Chain Risks: The Hidden Attack Surface in Media Libraries

Video codecs are some of the most complex code in your dependency tree. Their complexity and privileged execution make them prime supply chain targets.

Mar 5, 20255 min read
Software Supply Chain Security

Typosquatting Meets AI: The New Threat of AI-Generated Package Names

AI code assistants recommend packages that do not exist, and attackers are registering those hallucinated names. This new typosquatting vector exploits the trust developers place in AI suggestions.

Oct 20, 20247 min read
Software Supply Chain Security

Cross-Platform App Supply Chain Risks You Cannot Ignore

Cross-platform frameworks multiply supply chain attack surfaces by combining multiple dependency ecosystems. Understanding these compounded risks is essential for modern mobile and desktop security.

Sep 5, 20247 min read
Software Supply Chain Security

Homebrew Cask Security Verification: What Gets Checked Before Installation

Homebrew Cask installs macOS applications from the command line. Here is what security verification happens (and what does not) before software lands on your Mac.

May 8, 20245 min read
Software Supply Chain Security (Page 11) — Supply Chain Security Blog | Safeguard