Safeguard
Topic

Supply Chain

In-depth guides and analysis on supply chain from the Safeguard engineering team.

46 articles

Supply Chain

How to Fix a Vulnerable Transitive Dependency in npm

The CVE is four levels deep in a package you never installed. Four escalating fixes — parent upgrade, npm update, overrides, and forking — with the exact commands.

Oct 21, 20256 min read
Supply Chain

SCA Scanning: What It Catches in Practice

SCA scanning finds known CVEs in your open-source dependencies and license conflicts you didn't know you'd agreed to — here's exactly what a scan catches, in order of how often it actually matters.

Sep 30, 20255 min read
Supply Chain

Shai-Hulud: The Self-Replicating npm Worm That Hit 500+ Packages

On September 15, 2025, a self-replicating npm worm dubbed Shai-Hulud backdoored more than 500 packages, including @ctrl/tinycolor and CrowdStrike libraries, by pivoting through stolen publish tokens.

Sep 22, 20256 min read
Supply Chain

@ctrl/tinycolor and the 40-Package npm Wave of September 2025

@ctrl/tinycolor versions 4.1.1 and 4.1.2 shipped a credential-stealing payload that propagated to 40+ packages with 2 million combined weekly downloads in under 24 hours.

Sep 18, 20255 min read
Supply Chain

SCA vs Static Code Analysis: The Real Difference

Software composition analysis and static code analysis get lumped together constantly, but they read entirely different things and catch entirely different bugs.

Sep 15, 20256 min read
Supply Chain

What Is a Software Ingredient Label?

Food gets an ingredient panel; software gets an SBOM. What a software ingredient label contains, who is demanding one, and how to generate yours automatically.

Sep 9, 20256 min read
Supply Chain

Nx s1ngularity: The First AI-Aware Supply Chain Worm

On August 26, 2025, malicious versions of Nx (20.9.0–21.8.0) harvested 2,349 credentials from 1,079 developers and weaponized Claude, Gemini, and Q CLIs to enumerate local secrets.

Aug 29, 20256 min read
Supply Chain

SCA Security Testing: A Workflow Guide

SCA security testing only works when it's wired into an actual development workflow — here's what that pipeline looks like from commit to merge to production monitoring.

Jul 21, 20255 min read
Supply Chain

Open Source Code Scanning: Tools and Workflow

Open source code scanning tools can cover most of a small team's needs for free, but the workflow around them — what runs where, and who reviews the output — matters more than which tool you pick.

Jun 17, 20255 min read
Supply Chain

Snyk SBOM Generation: How It Works

How Snyk builds a software bill of materials from a dependency scan, what formats it exports, and where teams still need to fill gaps manually.

Jun 9, 20255 min read
Supply Chain

SCA Security: What Software Composition Analysis Actually Catches

SCA security scans the open source dependencies that make up most of your codebase, finding known CVEs, risky licenses, and malicious packages. Here is what it catches — and what it does not.

May 27, 20257 min read
Supply Chain

What Is SBOM Security, and Why Does It Matter?

SBOM security is the practice of using a software bill of materials to actually find and act on risk in your dependencies, not just to produce a compliance document.

May 14, 20254 min read
Supply Chain (Page 3) — Supply Chain Security Blog | Safeguard