Safeguard
Topic

Software Supply Chain Security

In-depth guides and analysis on software supply chain security from the Safeguard engineering team.

175 articles

Software Supply Chain Security

Cargo.lock integrity and reproducible builds as a supply ...

Cargo.lock pins your dependency tree, but only reproducible builds prove the binary you ship matches the source you reviewed and approved.

Feb 5, 20268 min read
Software Supply Chain Security

Event-Stream npm 2018: Package Trust Lessons That Still Apply

The event-stream npm incident remains the cleanest case study in maintainer-handoff risk. What it taught the ecosystem, and what we still ignore in 2026.

Feb 4, 20265 min read
Software Supply Chain Security

Sigstore Rekor Transparency Log Deep Dive 2026

How Rekor actually works in 2026, the trade-offs of the current Merkle tree design, witness diversity, and the operational realities of verifying inclusion at scale.

Feb 4, 20266 min read
Software Supply Chain Security

Case study: crates.io maintainer account takeover and mal...

How a compromised maintainer credential becomes a crates.io account takeover and a malicious crate version in the Rust software supply chain.

Feb 4, 20269 min read
Software Supply Chain Security

Go module proxy security: how GOPROXY and sum.golang.org ...

How GOPROXY and sum.golang.org protect Go builds with caching and checksum verification, and where trust-on-first-use gaps let malicious modules slip through.

Feb 4, 20267 min read
Software Supply Chain Security

Typosquatting and malicious Go modules published to pkg.g...

How malicious Go modules exploit pkg.go.dev's open publishing model, real typosquatting attacks like steelpoor/tlsproxy, and why Go's module proxy makes cleanup so hard.

Feb 4, 20268 min read
Software Supply Chain Security

What is a Private Package Registry

A private package registry controls who can publish and pull internal and third-party code — but only if it's configured to block, not just cache, public fallback resolution.

Feb 4, 20266 min read
Software Supply Chain Security

What is Artifact Repository Security

Artifact repositories are prime attack targets — one poisoned package reaches every downstream consumer. Here's what actually secures them.

Feb 3, 20267 min read
Software Supply Chain Security

What is Reproducible Builds

Reproducible builds let anyone recompile source code and cryptographically verify the binary matches — closing the gap attackers exploit when they compromise build systems, not source code.

Feb 3, 20268 min read
Software Supply Chain Security

Anatomy of a Go module supply chain compromise: lessons f...

Real incidents like the xz-utils backdoor reveal the anatomy of a go module supply chain compromise: maintainer trust, init() execution, and immutable proxy caching.

Feb 3, 20269 min read
Software Supply Chain Security

CocoaPods supply chain security and Podfile.lock integrit...

A 2024 CocoaPods Trunk server flaw let attackers hijack orphaned pods and exposed a deeper gap: Podfile.lock never verified dependency integrity in the first place.

Jan 30, 20267 min read
Software Supply Chain Security

iOS app supply chain risk from third-party SDKs and ad li...

Third-party SDKs and ad libraries run inside your iOS app with your app's permissions. Here's how ios sdk supply chain risk hides in plain sight — and what Safeguard does about it.

Jan 30, 20268 min read
Software Supply Chain Security (Page 8) — Supply Chain Security Blog | Safeguard