Supply Chain Security
In-depth guides and analysis on supply chain security from the Safeguard engineering team.
55 articles
Do Not Pass GO: Malicious Golang Package Alert
A typosquat of boltdb/bolt stayed cached on Go's module proxy for roughly three years after its source repo was cleaned up — proxy caching beats takedowns.
npm supply-chain attacks: typosquatting, dependency confusion, and postinstall malware
event-stream hid a wallet-stealing payload behind 8M downloads in 2018. Here's how typosquatting and dependency confusion actually work, and how to stop them.
A four-surface framework for software supply-chain risk
Supply-chain attacks are up 650% year over year, per the SLSA framework — yet most teams still map risk to one surface instead of four.
The NSA/CISA Enduring Security Framework Guide for Developers, Reviewed
NSA, CISA, and ODNI published developer supply-chain guidance in August 2022 — four years on, here's what it actually asks of your pipeline.
A patching playbook for critical open-source CVEs
Heartbleed, the OpenSSL punycode bug, and XZ Utils each broke a different assumption in incident response. Here's an SLA-driven playbook that survives all three.
Generating CycloneDX and SPDX SBOMs from Java Projects with Maven and Gradle
CISA's 2025 draft update proposes four new fields on top of NTIA's minimum elements, from 7 to 11 — most Maven and Gradle-generated SBOMs still fail that bar.
The C++ supply chain has no npm — and that's the risk
C++ has no single package registry like npm or PyPI, so vendored code hides provenance — the XZ Utils backdoor (CVE-2024-3094, CVSS 10.0) shows the cost.
CI/CD pipeline hardening against supply chain attacks
23,000+ repos were exposed when tj-actions/changed-files was compromised in March 2025 — pinned SHAs and OIDC would have stopped it cold.
IDE extension marketplace trust and verification
Wiz Research found 550+ leaked secrets across 500+ VS Code extensions, including publisher tokens that let attackers push malicious updates to entire install bases.
Incident response playbook for a compromised dependency or CI action
23,000+ repos leaked secrets when tj-actions was hijacked in March 2025. Here's the revoke, rotate, and audit playbook for when it's your turn.
Anatomy of a Malicious Go Package Typosquat
A Go typosquat backdoored since 2021 stayed live for over three years because Go's module proxy caches code immutably — even after the attacker cleaned the repo.
Detecting malicious postinstall scripts in npm packages
A 2025 phishing attack compromised 18 npm packages with 2.6 billion weekly downloads. Here's how postinstall scripts became npm's top attack vector.