Software Supply Chain Security
In-depth guides and analysis on software supply chain security from the Safeguard engineering team.
175 articles
Homebrew formula security incidents
A timeline of Homebrew formula security incidents — from the 2018 Jenkins token leak to 2026's Trivy tap compromise — and what Homebrew's Tap Trust fix means for security teams.
Best software supply chain risk scoring and rating platforms
A practical, no-hype guide to choosing software supply chain risk scoring platforms — evaluation criteria plus a fair roundup of six real vendors, strengths and limitations included.
Known Vulnerabilities in Dependencies: Detection and Triage
Known vulnerabilities in dependencies aren't a detection problem — they're a triage problem. Here's how CVEs get exploited, why CVSS alone misleads, and how to prioritize fixes.
Name Confusion Attacks: Typosquatting and Brandjacking
Typosquatting and brandjacking let attackers hijack trust in package names instead of writing exploits. Here's how crossenv, PyPI's 2017 campaign, and PyTorch's torchtriton breach actually worked.
Untracked Dependencies in the Software Supply Chain
Most teams can name their direct dependencies but not the hundreds of transitive packages actually running underneath. Here's why that gap is where real supply chain attacks live.
Outdated Software Components: Quantifying the Risk
Outdated dependencies sit in nearly every codebase. Here's what Equifax and Log4Shell reveal about the real cost of unpatched software supply chain risk.
Unapproved Change Risk in the Software Supply Chain
How unreviewed code, dependency, and pipeline changes create supply chain breaches like SolarWinds and XZ Utils - and how to detect them before attackers do.
AI Bill of Materials (AI-BOM) for Model Supply Chains
An AI-BOM tracks every model, dataset, and dependency in your ML pipeline so a compromised base model or license issue can be traced in minutes, not weeks.
Video Codec Supply Chain Risks: The Hidden Attack Surface in Media Libraries
Video codecs are some of the most complex code in your dependency tree. Their complexity and privileged execution make them prime supply chain targets.
Typosquatting Meets AI: The New Threat of AI-Generated Package Names
AI code assistants recommend packages that do not exist, and attackers are registering those hallucinated names. This new typosquatting vector exploits the trust developers place in AI suggestions.
Cross-Platform App Supply Chain Risks You Cannot Ignore
Cross-platform frameworks multiply supply chain attack surfaces by combining multiple dependency ecosystems. Understanding these compounded risks is essential for modern mobile and desktop security.
Homebrew Cask Security Verification: What Gets Checked Before Installation
Homebrew Cask installs macOS applications from the command line. Here is what security verification happens (and what does not) before software lands on your Mac.