Supply Chain Security
In-depth guides and analysis on supply chain security from the Safeguard engineering team.
55 articles
Polyfill.io Supply Chain Attack: When a CDN Domain Changes Hands
A Chinese company acquired the polyfill.io domain and began injecting malicious code into websites that relied on the CDN, affecting over 100,000 sites. The attack exploited trust in third-party JavaScript.
After XZ Utils: Rethinking Trust in Open Source Software
The XZ Utils backdoor forced the industry to confront uncomfortable questions about maintainer trust, funding, and the structural fragility of critical open source infrastructure.
How One Engineer's Curiosity Saved Linux: The XZ Utils Backdoor Discovery Story
Andres Freund noticed SSH was 500ms slower than expected. That observation prevented the most dangerous supply chain attack in open source history from reaching stable Linux distributions.
XZ Utils Backdoor (CVE-2024-3094): The Most Sophisticated Supply Chain Attack Ever Discovered
A multi-year social engineering campaign planted a backdoor in XZ Utils that would have compromised SSH on most Linux distributions. Technical deep dive into what happened.
npm Lifecycle Scripts: The Hidden Attack Surface in Your Node.js Supply Chain
npm lifecycle scripts execute arbitrary code during package installation. This design choice creates one of the largest and least-understood attack surfaces in modern software development.
Chocolatey Package Security on Windows: What You Need to Know
Chocolatey is the de facto package manager for Windows automation. Its trust model and security features deserve more scrutiny than most teams give them.
Securing Software Update Mechanisms
Software updates are a double-edged sword: they deliver patches but also provide a trusted channel attackers can exploit. Securing the update mechanism itself is essential to supply chain integrity.
Snap Store and Flatpak Security Models Compared
Universal Linux packaging formats promise sandboxed applications. Their security models differ significantly, and neither delivers the isolation most users assume.
Package Registry Mirroring: Security Benefits and Hidden Risks
Mirroring npm, PyPI, or Maven Central locally reduces dependency on external infrastructure. But mirrors introduce their own security considerations that most teams overlook.
Domain Squatting and Package Registry Attacks
Typosquatting and domain squatting in package registries trick developers into installing malicious packages. The attack is trivially easy to execute and remarkably effective.
Code Signing Certificates and Software Supply Chain Integrity
Code signing is a critical trust anchor in the software supply chain. This guide covers how it works, how it fails, and how to implement it correctly.
Browser Extension Permission Models and Supply Chain Risk
Browser extensions operate with broad permissions and auto-update silently. Here is how the extension permission model creates supply chain risks and what organizations can do about it.