Supply Chain
In-depth guides and analysis on supply chain from the Safeguard engineering team.
46 articles
PyPI Malware News: What's Happening and How to Detect It
PyPI malware news keeps repeating the same pattern — typosquats, compromised maintainer accounts, and post-install scripts that exfiltrate credentials — here's how to actually catch it.
Software Supply Chain Security Solutions: A Comparison Framework
A framework for comparing software supply chain security solutions across the four capabilities that matter, SBOM generation, dependency scanning, provenance verification, and CI/CD gating.
Axios npm Vulnerabilities: The Full CVE History and Patch Guide
Every notable axios npm vulnerability, from the 2019 DoS to the 2025 SSRF, with the fixed versions and a patch path that also catches the transitive ones.
RubyGems and Bundler's Cooldown Discussion: Soak Windows as a First-Class Defender Policy
After the 2025 supply-chain waves, the ruby/rubygems community opened Discussion #9113 to evaluate a built-in cooldown feature for bundle update. Here is the defender argument and how to implement it today.
A Defender's Template for Package Registry Incident Communications, Built from the 2025-2026 Response Postmortems
The npm Shai-Hulud, PyPI credential-leak, and tj-actions response postmortems published through 2025-2026 reveal a common communication shape. Here is the template, the timing, and the policy that turns the template into a fast response.
NuGet's September 2025 Trusted Publishing Launch and the 2026 Signing Roadmap
NuGet became the fifth major registry to ship Trusted Publishing in September 2025, with .NET package signing and ID prefix reservation forming a complete trust-signal stack for the ecosystem.
Software Supply Chain Security Management: Building the Program
Software supply chain security management works as a program, not a tool purchase — it needs SBOM generation, dependency monitoring, and vendor risk scoring wired together with clear ownership.
Private Registry Hardening in 2026: How Nexus Firewall and JFrog Curation Closed the Mirror-Pass-Through Gap
Through 2025-2026, Sonatype Nexus Firewall, JFrog Curation, and Harness Artifact Registry shipped policy features specifically aimed at the Shai-Hulud pass-through problem, where private mirrors silently replicated malicious upstream packages.
Open Source Sustainability Is an Attack Surface Problem
Unmaintained, underfunded open source is not just a reliability risk — it is how attackers get in. The xz Utils backdoor proved that maintainer burnout is a security vulnerability with a CVE number.
Open Source Dependency Scanners: A Buyer's Checklist
A practical checklist for evaluating an open source dependency scanner — ecosystem coverage, reachability analysis, license detection, and how each handles transitive dependencies.
Software Supply Chain Threat Protection: A Framework
Software supply chain threat protection means securing the build pipeline and dependency graph itself, not just the code you write — provenance, signing, and SBOMs are the load-bearing pieces.
How npm's Takedown Response Time Compressed from Days to Hours During the 2025 Shai-Hulud Waves
AWS measured the September 8 chalk/debug compromise being removed within 2.5 hours and Shai-Hulud 2.0 in November within 12 hours. Here is how the registry-side response workflow operates and how to consume the signal.