Software Supply Chain Security
In-depth guides and analysis on software supply chain security from the Safeguard engineering team.
175 articles
Trusted Publishing for npm: Why Only 14% of Compromised P...
Only 14% of packages compromised since npm launched Trusted Publishing use it. Here's how OIDC-based publishing works, why adoption lags, and what still gets missed.
Package Firewall: Blocking Malicious Dependencies at Inst...
Malicious npm and PyPI packages are published daily. See why a package firewall that blocks at install time stops attacks that post-hoc scanners catch too late.
Dependency Cooldown Periods as a Malware Defense
Malicious npm packages are often caught within days. Cooldown periods exploit that lag — here's how they work, and how Endor Labs and Safeguard compare.
TanStack's Build Pipeline Got Hijacked and Still Signed Valid SLSA Provenance (May 2026)
On May 11, 2026, attackers chained a pull_request_target abuse, cache poisoning, and OIDC token theft to publish 84 malicious @tanstack npm versions from TanStack's own trusted pipeline. It is the first npm compromise to carry valid SLSA provenance.
Best SBOM tools compared (including Trivy)
Trivy generates SBOMs fast at scan time. Safeguard turns those SBOMs into a versioned, queryable inventory you can match against new CVEs org-wide.
Securing IoT device firmware supply chains
How Ripple20, Mirai, and Realtek SDK flaws exposed IoT firmware supply chains, what EU CRA and FDA SBOM rules require, and what reachability adds.
Software supply chain attacks: how they work and recent e...
Software supply chain attacks like SolarWinds, xz-utils, and polyfill.io bypass vulnerability scanners entirely. Here's how they work and where provenance verification fills the gap.
Container image signing and verification
Scanning tells you what's inside a container image; signing proves where it came from. Here's how signature verification closes the gap that CVE scanners like Trivy leave open.
PulseMeter report: software supply chain risk perceptions
Safeguard's latest PulseMeter survey finds 71% of teams hit a supply chain incident this year, but only 34% feel confident they'd catch one in time.
NPM package vulnerabilities: risks and detection
NPM's open, high-velocity ecosystem makes it a top target for supply chain attacks. Here's how vulnerabilities slip past scanners like Trivy undetected.
Container Image Supply Chain Security Deep Dive 2026
A senior-engineer deep dive into 2026 container image supply chain security: base image risk, provenance, signing, attestation chains, and what actually moves the needle.
What Is a Software Supply Chain Attack? A 2026 Primer
A grounded 2026 primer on software supply chain attacks: definitions, the four real attack vectors, landmark incidents, and where defenders should start.