Software Supply Chain Security
In-depth guides and analysis on software supply chain security from the Safeguard engineering team.
175 articles
Clinejection: prompt injection turns AI coding bot into supply chain attack
A prompt-injected GitHub issue title hijacked Cline's AI triage bot, poisoned its build cache, and pushed a malicious npm release to 4,000 developers.
ESLint config-prettier maintainer npm account compromise
A phished maintainer account turned eslint-config-prettier and four sibling npm packages into a malicious install-time payload — here's what happened and how to check exposure.
Understanding the software supply chain attack surface
SolarWinds, Log4Shell, and XZ Utils show the software supply chain attack surface is bigger than any single scan. Here's how to actually map and shrink it.
SBOM as a supply chain defense strategy
SBOMs turn "are we affected?" from a weeks-long fire drill into a query. Here's how they defend against real supply chain attacks like Log4Shell and XZ Utils.
GitHub dependency graph and dependency review explained
How GitHub Dependency Graph and Dependency Review actually work, what GitHub Advanced Security adds on top, and where the coverage gaps are for teams relying on manifest-only scanning.
Preventing malicious packages with automated detection
Malicious npm and PyPI packages skip CVEs entirely. Here's how attackers get them published and how automated detection catches them before they ship.
License compliance checks for open source dependencies on...
GitHub Advanced Security scans for vulnerabilities, not license risk. Here's what real open source license compliance requires—and where GHAS falls short.
Vendor breach exposure: third-party risk lessons from the Klue incident
A single forgotten credential at Klue exposed Salesforce CRM data at 14+ companies, including Snyk and Huntress—here's what it teaches about vendor risk.
SBOM export in GitHub: generating a software bill of mate...
GitHub lets you export an SPDX SBOM in two clicks, but the file only reflects what its dependency graph can see. Here's what's missing and how Safeguard fills it.
Repository health and source-code manager (SCM) risk
Repository health—branch protection, stale permissions, leaked secrets, OAuth grants—is a supply chain risk AppSec scanners like Checkmarx can't see. Here's why it matters.
What is a Software Bill of Materials (SBOM) and why it ma...
A software bill of materials (SBOM) is a live inventory of every dependency in your software. Here's why it matters, how JFrog handles it, and how Safeguard does better.
Malicious Package Detection: Behavioral vs Signature-Base...
A side-by-side look at signature-based malicious package detection (like Endor Labs) versus behavioral analysis, using real npm attack timelines from Shai-Hulud to chalk/debug.