Safeguard
Topic

Supply Chain Security

In-depth guides and analysis on supply chain security from the Safeguard engineering team.

55 articles

Supply Chain Security

Do Not Pass GO: Malicious Golang Package Alert

A typosquat of boltdb/bolt stayed cached on Go's module proxy for roughly three years after its source repo was cleaned up — proxy caching beats takedowns.

Jul 16, 20266 min read
Supply Chain Security

npm supply-chain attacks: typosquatting, dependency confusion, and postinstall malware

event-stream hid a wallet-stealing payload behind 8M downloads in 2018. Here's how typosquatting and dependency confusion actually work, and how to stop them.

Jul 15, 20266 min read
Supply Chain Security

A four-surface framework for software supply-chain risk

Supply-chain attacks are up 650% year over year, per the SLSA framework — yet most teams still map risk to one surface instead of four.

Jul 14, 20267 min read
Supply Chain Security

The NSA/CISA Enduring Security Framework Guide for Developers, Reviewed

NSA, CISA, and ODNI published developer supply-chain guidance in August 2022 — four years on, here's what it actually asks of your pipeline.

Jul 13, 20267 min read
Supply Chain Security

A patching playbook for critical open-source CVEs

Heartbleed, the OpenSSL punycode bug, and XZ Utils each broke a different assumption in incident response. Here's an SLA-driven playbook that survives all three.

Jul 13, 20266 min read
Supply Chain Security

Generating CycloneDX and SPDX SBOMs from Java Projects with Maven and Gradle

CISA's 2025 draft update proposes four new fields on top of NTIA's minimum elements, from 7 to 11 — most Maven and Gradle-generated SBOMs still fail that bar.

Jul 12, 20266 min read
Supply Chain Security

The C++ supply chain has no npm — and that's the risk

C++ has no single package registry like npm or PyPI, so vendored code hides provenance — the XZ Utils backdoor (CVE-2024-3094, CVSS 10.0) shows the cost.

Jul 11, 20266 min read
Supply Chain Security

CI/CD pipeline hardening against supply chain attacks

23,000+ repos were exposed when tj-actions/changed-files was compromised in March 2025 — pinned SHAs and OIDC would have stopped it cold.

Jul 10, 20267 min read
Supply Chain Security

IDE extension marketplace trust and verification

Wiz Research found 550+ leaked secrets across 500+ VS Code extensions, including publisher tokens that let attackers push malicious updates to entire install bases.

Jul 10, 20266 min read
Supply Chain Security

Incident response playbook for a compromised dependency or CI action

23,000+ repos leaked secrets when tj-actions was hijacked in March 2025. Here's the revoke, rotate, and audit playbook for when it's your turn.

Jul 10, 20266 min read
Supply Chain Security

Anatomy of a Malicious Go Package Typosquat

A Go typosquat backdoored since 2021 stayed live for over three years because Go's module proxy caches code immutably — even after the attacker cleaned the repo.

Jul 10, 20266 min read
Supply Chain Security

Detecting malicious postinstall scripts in npm packages

A 2025 phishing attack compromised 18 npm packages with 2.6 billion weekly downloads. Here's how postinstall scripts became npm's top attack vector.

Jul 9, 20266 min read
Supply Chain Security — Supply Chain Security Blog | Safeguard