Supply Chain Attacks
In-depth guides and analysis on supply chain attacks from the Safeguard engineering team.
92 articles
When the Vulnerability Is the Design: MCP STDIO Command Injection Across 150M Downloads (May 2026)
OX Security documented command injection through the MCP STDIO transport across Python, TypeScript, Java, and Rust SDKs. Anthropic calls the behavior by-design and won't patch upstream. That leaves the fix to thousands of downstream projects.
tj-actions Supply Chain Attack March 2025: A Postmortem
The tj-actions/changed-files compromise exposed CI secrets across thousands of public repositories. A postmortem on the attack chain and the GitHub Actions trust model.
Go Toolchain Supply Chain Risks: 2025 Research
2025 research on Go toolchain supply chain risks: module proxy abuse, replace directive attacks, cgo linker vectors, and the hardening patterns Go shops should adopt.
Composer/PHP Supply Chain Threats: 2025 Report
A senior engineer's 2025 report on Composer and Packagist supply chain threats: namespace abuse, abandoned maintainers, plugin hooks, and the attacks that actually landed on PHP shops.
Chrome Extension Cyberhaven Supply Chain Attack 2024
A technical retrospective on the 2024 Cyberhaven Chrome extension compromise: the phishing chain, the malicious OAuth flow, the exfiltration payload, and what actually changes browser-extension supply chain defense.
How to Detect Dependency Confusion Attacks Before They Ship
Dependency confusion still works in 2026 because teams keep missing the same three controls. Here's how to detect and block it in npm, pip, and Maven.
Ledger Connect Kit December 2023: A CDN Attack Retrospective
The Ledger Connect Kit compromise was a five-hour CDN attack that drained roughly $600k from connected wallets. A look at how it happened and what defenders learned.
VS Code Marketplace Malware Campaigns in 2025
A senior engineer's review of the 2025 VS Code Marketplace malware wave, including typosquats, trojanized themes, and extensions that stole npm tokens at scale.
OSS Maintainer Account Takeover Trends 2025
A senior engineer's breakdown of how maintainer account takeovers evolved in 2025, from phishing kits targeting PyPI to session token theft on GitHub and npm.
npm Protestware Patterns From 2020 to 2026
A senior engineer's view of six years of npm protestware, from colors.js to peacenotwar, and the supply chain lessons that still apply to modern JavaScript shops.
npm Slopsquat: The Hallucinated Package Risk in 2026
Slopsquatting is the practice of registering package names that LLMs hallucinate, turning AI coding assistants into an accidental distribution channel.
Maven Central Malicious Publishing Trends 2025
Maven Central has historically been the quietest major registry for malware, but 2025 saw a measurable uptick in malicious artifacts and namespace abuse.