Safeguard
Topic

Software Supply Chain Security

In-depth guides and analysis on software supply chain security from the Safeguard engineering team.

175 articles

Software Supply Chain Security

Mini Shai-Hulud AntV npm packages compromise

A compromised npm maintainer account pushed 639 malicious @antv package versions in 10 minutes, stealing CI/CD secrets via a fake OpenTelemetry channel.

Jul 3, 20267 min read
Software Supply Chain Security

tj-actions/changed-files GitHub Action compromise

How the tj-actions/changed-files GitHub Action compromise (CVE-2025-30066) leaked CI/CD secrets from 23,000+ repos, and how to prevent it.

Jul 3, 20266 min read
Software Supply Chain Security

The Ultralytics AI pwn request supply chain attack

How a malicious pull request, a poisoned GitHub Actions cache, and a stored PyPI token turned the Ultralytics YOLO package into a cryptominer.

Jul 3, 20267 min read
Software Supply Chain Security

Axios npm package RAT supply chain compromise

A compromised maintainer account pushed malicious axios releases carrying a cross-platform RAT to npm on March 31, 2026 — here's the full timeline and IOCs.

Jul 3, 20267 min read
Software Supply Chain Security

Polyfill.io supply chain domain takeover

How a routine domain sale turned polyfill.io into malware served to 100,000+ sites, and how to catch supply chain takeovers before they ship.

Jul 2, 20267 min read
Software Supply Chain Security

PyPI typosquatting malicious packages

PyPI typosquatting tricks developers into installing malicious lookalike packages via one-letter typos. Real incidents, attack patterns, and defenses inside.

Jul 2, 20265 min read
Software Supply Chain Security

RubyGems strong_password malicious version RCE

In 2019, attackers hijacked the strong_password RubyGems account and shipped a backdoored v0.0.7 that let them eval() code in production Rails apps.

Jul 2, 20267 min read
Software Supply Chain Security

Understanding dependency confusion via npm package aliasing

npm's `npm:` alias syntax lets a trusted-looking dependency name resolve to attacker-controlled code — here's how that becomes dependency confusion, and how to detect it.

Jul 1, 20267 min read
Software Supply Chain Security

GitHub repo confusion and malware repositories

Fake GitHub repos with forged stars and AI-written READMEs are stealing crypto and credentials. Here's how repo confusion attacks actually work.

Jul 1, 20267 min read
Software Supply Chain Security

Software supply chain attack statistics and trends report

Software supply chain attacks keep climbing year over year. Here are the stats, incidents, and trends security teams need to know in 2026.

Jul 1, 20268 min read
Software Supply Chain Security

Laravel Lang supply chain advisory

A leaked PAT let attackers rewrite 700+ git tags across four Laravel-Lang packages, planting a credential stealer that ran on every PHP request.

Jul 1, 20267 min read
Software Supply Chain Security

A forgotten contributor account compromised the Mastra npm scope

A dormant npm account with unrevoked publish rights let attackers trojanize 144 @mastra packages in 88 minutes, dropping a crypto-wallet RAT tied to Sapphire Sleet.

Jun 30, 20266 min read
Software Supply Chain Security (Page 2) — Supply Chain Security Blog | Safeguard