Supply Chain Security
In-depth guides and analysis on supply chain security from the Safeguard engineering team.
55 articles
Dependency confusion and npm supply-chain hardening
One researcher earned over $130,000 exploiting name collisions between public and private registries at 35 companies — here's how lockfiles and scoping stop it.
What developer-first supply chain security actually requires
The xz-utils backdoor was caught by a 500ms SSH login delay, not a scanner. Real developer-first security means catching it before the commit ships.
Enriching SBOMs with Vulnerability and License Metadata
A base SBOM only lists what's in your build — OSV.dev, EPSS, and OpenSSF Scorecard turn that inventory into a prioritized risk decision.
Generating a CycloneDX/SPDX SBOM for a Node.js Application
npm has shipped a native `npm sbom` command since v9 — but a real supply chain program needs more than the CLI default. Here's how to do it right.
How Attackers Clone GitHub Repos to Ship Malware
One threat actor ran 3,000+ fake GitHub accounts and 2,200+ cloned repos to infect over 1,300 victims in four days. Here's how to spot the fakes.
SBOM adoption: generating, distributing, and consuming SBOMs to cut supply chain risk
Four years after EO 14028, most SBOMs still sit unread in a folder. Here's how to generate, ship, and actually query one before the next Log4Shell.
How to Scan Large GitHub Orgs for Exposed Secrets Responsibly
28.65 million new secrets landed on public GitHub in 2025 alone. Here's a research methodology for finding them at scale without becoming the next incident.
Securing SBOM storage and distribution in cloud environments
GitGuardian found 23.77 million secrets exposed on public GitHub in 2024 alone — an unprotected SBOM repository is the same mistake, just with your dependency tree instead.
When the Security Tool Is the Backdoor
CCleaner, tj-actions, and ua-parser-js show the same pattern: trusted tools with CI access became the attack, hitting 2.27M+ users and 23,000+ repos.
A vendor-neutral framework for software supply chain security tools
Supply chain tooling splits into four distinct categories with different failure modes — the xz-utils backdoor slipped past most of them for over two years.
Software supply chain attacks in 2026: what's actually changed
A single compromised maintainer token in March 2025 exposed secrets across 23,000+ repositories — supply chain attacks now target the pipeline, not just the package.
Software Supply Chain Attack at Scale: npm, PyPI, and Docker Hub Hit in 48 Hours
GitGuardian documented three distinct supply-chain campaigns striking npm, PyPI, and Docker Hub inside a single 48-hour window in April 2026. The simultaneity tells you more about attacker tooling than any single payload does.