Safeguard
Topic

Supply Chain

In-depth guides and analysis on supply chain from the Safeguard engineering team.

46 articles

Supply Chain

PyPI Malware News: What's Happening and How to Detect It

PyPI malware news keeps repeating the same pattern — typosquats, compromised maintainer accounts, and post-install scripts that exfiltrate credentials — here's how to actually catch it.

Jun 2, 20265 min read
Supply Chain

Software Supply Chain Security Solutions: A Comparison Framework

A framework for comparing software supply chain security solutions across the four capabilities that matter, SBOM generation, dependency scanning, provenance verification, and CI/CD gating.

May 19, 20265 min read
Supply Chain

Axios npm Vulnerabilities: The Full CVE History and Patch Guide

Every notable axios npm vulnerability, from the 2019 DoS to the 2025 SSRF, with the fixed versions and a patch path that also catches the transitive ones.

May 19, 20266 min read
Supply Chain

RubyGems and Bundler's Cooldown Discussion: Soak Windows as a First-Class Defender Policy

After the 2025 supply-chain waves, the ruby/rubygems community opened Discussion #9113 to evaluate a built-in cooldown feature for bundle update. Here is the defender argument and how to implement it today.

May 15, 20267 min read
Supply Chain

A Defender's Template for Package Registry Incident Communications, Built from the 2025-2026 Response Postmortems

The npm Shai-Hulud, PyPI credential-leak, and tj-actions response postmortems published through 2025-2026 reveal a common communication shape. Here is the template, the timing, and the policy that turns the template into a fast response.

May 14, 20267 min read
Supply Chain

NuGet's September 2025 Trusted Publishing Launch and the 2026 Signing Roadmap

NuGet became the fifth major registry to ship Trusted Publishing in September 2025, with .NET package signing and ID prefix reservation forming a complete trust-signal stack for the ecosystem.

May 12, 20266 min read
Supply Chain

Software Supply Chain Security Management: Building the Program

Software supply chain security management works as a program, not a tool purchase — it needs SBOM generation, dependency monitoring, and vendor risk scoring wired together with clear ownership.

May 8, 20265 min read
Supply Chain

Private Registry Hardening in 2026: How Nexus Firewall and JFrog Curation Closed the Mirror-Pass-Through Gap

Through 2025-2026, Sonatype Nexus Firewall, JFrog Curation, and Harness Artifact Registry shipped policy features specifically aimed at the Shai-Hulud pass-through problem, where private mirrors silently replicated malicious upstream packages.

Apr 22, 20267 min read
Supply Chain

Open Source Sustainability Is an Attack Surface Problem

Unmaintained, underfunded open source is not just a reliability risk — it is how attackers get in. The xz Utils backdoor proved that maintainer burnout is a security vulnerability with a CVE number.

Apr 16, 20266 min read
Supply Chain

Open Source Dependency Scanners: A Buyer's Checklist

A practical checklist for evaluating an open source dependency scanner — ecosystem coverage, reachability analysis, license detection, and how each handles transitive dependencies.

Apr 14, 20265 min read
Supply Chain

Software Supply Chain Threat Protection: A Framework

Software supply chain threat protection means securing the build pipeline and dependency graph itself, not just the code you write — provenance, signing, and SBOMs are the load-bearing pieces.

Apr 8, 20265 min read
Supply Chain

How npm's Takedown Response Time Compressed from Days to Hours During the 2025 Shai-Hulud Waves

AWS measured the September 8 chalk/debug compromise being removed within 2.5 hours and Shai-Hulud 2.0 in November within 12 hours. Here is how the registry-side response workflow operates and how to consume the signal.

Apr 2, 20267 min read
Supply Chain — Supply Chain Security Blog | Safeguard