Safeguard
Topic

Software Supply Chain Security

In-depth guides and analysis on software supply chain security from the Safeguard engineering team.

175 articles

Software Supply Chain Security

Clinejection: prompt injection turns AI coding bot into supply chain attack

A prompt-injected GitHub issue title hijacked Cline's AI triage bot, poisoned its build cache, and pushed a malicious npm release to 4,000 developers.

Jun 30, 20267 min read
Software Supply Chain Security

ESLint config-prettier maintainer npm account compromise

A phished maintainer account turned eslint-config-prettier and four sibling npm packages into a malicious install-time payload — here's what happened and how to check exposure.

Jun 29, 20266 min read
Software Supply Chain Security

Understanding the software supply chain attack surface

SolarWinds, Log4Shell, and XZ Utils show the software supply chain attack surface is bigger than any single scan. Here's how to actually map and shrink it.

Jun 29, 20267 min read
Software Supply Chain Security

SBOM as a supply chain defense strategy

SBOMs turn "are we affected?" from a weeks-long fire drill into a query. Here's how they defend against real supply chain attacks like Log4Shell and XZ Utils.

Jun 29, 20267 min read
Software Supply Chain Security

GitHub dependency graph and dependency review explained

How GitHub Dependency Graph and Dependency Review actually work, what GitHub Advanced Security adds on top, and where the coverage gaps are for teams relying on manifest-only scanning.

Jun 29, 20267 min read
Software Supply Chain Security

Preventing malicious packages with automated detection

Malicious npm and PyPI packages skip CVEs entirely. Here's how attackers get them published and how automated detection catches them before they ship.

Jun 29, 20266 min read
Software Supply Chain Security

License compliance checks for open source dependencies on...

GitHub Advanced Security scans for vulnerabilities, not license risk. Here's what real open source license compliance requires—and where GHAS falls short.

Jun 29, 20267 min read
Software Supply Chain Security

Vendor breach exposure: third-party risk lessons from the Klue incident

A single forgotten credential at Klue exposed Salesforce CRM data at 14+ companies, including Snyk and Huntress—here's what it teaches about vendor risk.

Jun 28, 20268 min read
Software Supply Chain Security

SBOM export in GitHub: generating a software bill of mate...

GitHub lets you export an SPDX SBOM in two clicks, but the file only reflects what its dependency graph can see. Here's what's missing and how Safeguard fills it.

Jun 28, 20266 min read
Software Supply Chain Security

Repository health and source-code manager (SCM) risk

Repository health—branch protection, stale permissions, leaked secrets, OAuth grants—is a supply chain risk AppSec scanners like Checkmarx can't see. Here's why it matters.

Jun 23, 20268 min read
Software Supply Chain Security

What is a Software Bill of Materials (SBOM) and why it ma...

A software bill of materials (SBOM) is a live inventory of every dependency in your software. Here's why it matters, how JFrog handles it, and how Safeguard does better.

May 28, 20267 min read
Software Supply Chain Security

Malicious Package Detection: Behavioral vs Signature-Base...

A side-by-side look at signature-based malicious package detection (like Endor Labs) versus behavioral analysis, using real npm attack timelines from Shai-Hulud to chalk/debug.

May 17, 20267 min read
Software Supply Chain Security (Page 3) — Supply Chain Security Blog | Safeguard