Safeguard
Topic

Supply Chain Security

In-depth guides and analysis on supply chain security from the Safeguard engineering team.

55 articles

Supply Chain Security

Polyfill.io Supply Chain Attack: When a CDN Domain Changes Hands

A Chinese company acquired the polyfill.io domain and began injecting malicious code into websites that relied on the CDN, affecting over 100,000 sites. The attack exploited trust in third-party JavaScript.

Jun 25, 20246 min read
Supply Chain Security

After XZ Utils: Rethinking Trust in Open Source Software

The XZ Utils backdoor forced the industry to confront uncomfortable questions about maintainer trust, funding, and the structural fragility of critical open source infrastructure.

Apr 5, 20247 min read
Supply Chain Security

How One Engineer's Curiosity Saved Linux: The XZ Utils Backdoor Discovery Story

Andres Freund noticed SSH was 500ms slower than expected. That observation prevented the most dangerous supply chain attack in open source history from reaching stable Linux distributions.

Apr 1, 20247 min read
Supply Chain Security

XZ Utils Backdoor (CVE-2024-3094): The Most Sophisticated Supply Chain Attack Ever Discovered

A multi-year social engineering campaign planted a backdoor in XZ Utils that would have compromised SSH on most Linux distributions. Technical deep dive into what happened.

Mar 29, 20246 min read
Supply Chain Security

npm Lifecycle Scripts: The Hidden Attack Surface in Your Node.js Supply Chain

npm lifecycle scripts execute arbitrary code during package installation. This design choice creates one of the largest and least-understood attack surfaces in modern software development.

Mar 20, 20247 min read
Supply Chain Security

Chocolatey Package Security on Windows: What You Need to Know

Chocolatey is the de facto package manager for Windows automation. Its trust model and security features deserve more scrutiny than most teams give them.

Mar 12, 20245 min read
Supply Chain Security

Securing Software Update Mechanisms

Software updates are a double-edged sword: they deliver patches but also provide a trusted channel attackers can exploit. Securing the update mechanism itself is essential to supply chain integrity.

Mar 5, 20246 min read
Supply Chain Security

Snap Store and Flatpak Security Models Compared

Universal Linux packaging formats promise sandboxed applications. Their security models differ significantly, and neither delivers the isolation most users assume.

Nov 12, 20236 min read
Supply Chain Security

Package Registry Mirroring: Security Benefits and Hidden Risks

Mirroring npm, PyPI, or Maven Central locally reduces dependency on external infrastructure. But mirrors introduce their own security considerations that most teams overlook.

Oct 8, 20235 min read
Supply Chain Security

Domain Squatting and Package Registry Attacks

Typosquatting and domain squatting in package registries trick developers into installing malicious packages. The attack is trivially easy to execute and remarkably effective.

Jul 5, 20236 min read
Supply Chain Security

Code Signing Certificates and Software Supply Chain Integrity

Code signing is a critical trust anchor in the software supply chain. This guide covers how it works, how it fails, and how to implement it correctly.

Mar 8, 20237 min read
Supply Chain Security

Browser Extension Permission Models and Supply Chain Risk

Browser extensions operate with broad permissions and auto-update silently. Here is how the extension permission model creates supply chain risks and what organizations can do about it.

Nov 5, 20226 min read
Supply Chain Security (Page 4) — Supply Chain Security Blog | Safeguard