Safeguard
Topic

Software Supply Chain Security

In-depth guides and analysis on software supply chain security from the Safeguard engineering team.

175 articles

Software Supply Chain Security

Trusted Publishing for npm: Why Only 14% of Compromised P...

Only 14% of packages compromised since npm launched Trusted Publishing use it. Here's how OIDC-based publishing works, why adoption lags, and what still gets missed.

May 17, 20268 min read
Software Supply Chain Security

Package Firewall: Blocking Malicious Dependencies at Inst...

Malicious npm and PyPI packages are published daily. See why a package firewall that blocks at install time stops attacks that post-hoc scanners catch too late.

May 17, 20268 min read
Software Supply Chain Security

Dependency Cooldown Periods as a Malware Defense

Malicious npm packages are often caught within days. Cooldown periods exploit that lag — here's how they work, and how Endor Labs and Safeguard compare.

May 17, 20268 min read
Software Supply Chain Security

TanStack's Build Pipeline Got Hijacked and Still Signed Valid SLSA Provenance (May 2026)

On May 11, 2026, attackers chained a pull_request_target abuse, cache poisoning, and OIDC token theft to publish 84 malicious @tanstack npm versions from TanStack's own trusted pipeline. It is the first npm compromise to carry valid SLSA provenance.

May 15, 202611 min read
Software Supply Chain Security

Best SBOM tools compared (including Trivy)

Trivy generates SBOMs fast at scan time. Safeguard turns those SBOMs into a versioned, queryable inventory you can match against new CVEs org-wide.

Apr 28, 20268 min read
Software Supply Chain Security

Securing IoT device firmware supply chains

How Ripple20, Mirai, and Realtek SDK flaws exposed IoT firmware supply chains, what EU CRA and FDA SBOM rules require, and what reachability adds.

Apr 28, 20267 min read
Software Supply Chain Security

Software supply chain attacks: how they work and recent e...

Software supply chain attacks like SolarWinds, xz-utils, and polyfill.io bypass vulnerability scanners entirely. Here's how they work and where provenance verification fills the gap.

Apr 25, 20268 min read
Software Supply Chain Security

Container image signing and verification

Scanning tells you what's inside a container image; signing proves where it came from. Here's how signature verification closes the gap that CVE scanners like Trivy leave open.

Apr 25, 20268 min read
Software Supply Chain Security

PulseMeter report: software supply chain risk perceptions

Safeguard's latest PulseMeter survey finds 71% of teams hit a supply chain incident this year, but only 34% feel confident they'd catch one in time.

Apr 25, 20267 min read
Software Supply Chain Security

NPM package vulnerabilities: risks and detection

NPM's open, high-velocity ecosystem makes it a top target for supply chain attacks. Here's how vulnerabilities slip past scanners like Trivy undetected.

Apr 25, 20266 min read
Software Supply Chain Security

Container Image Supply Chain Security Deep Dive 2026

A senior-engineer deep dive into 2026 container image supply chain security: base image risk, provenance, signing, attestation chains, and what actually moves the needle.

Apr 22, 20266 min read
Software Supply Chain Security

What Is a Software Supply Chain Attack? A 2026 Primer

A grounded 2026 primer on software supply chain attacks: definitions, the four real attack vectors, landmark incidents, and where defenders should start.

Apr 17, 20268 min read
Software Supply Chain Security (Page 4) — Supply Chain Security Blog | Safeguard