ai-security
Safeguard articles tagged "ai-security" — guides, analysis, and best practices for software supply chain and application security.
532 articles
Claude Sonnet 4.5 System Card: Security Reading
Anthropic shipped Claude Sonnet 4.5 on September 29, 2025 with a 70-page system card. We pull the supply-chain-relevant findings out of it.
How Snyk Agent Fix's agentic retry loop self-corrects fai...
A technical look at how Snyk's Agent Fix uses a bounded, feedback-driven retry loop to validate and self-correct AI-generated vulnerability fixes before they reach a pull request.
Supply Chain Attacks Targeting AI/ML Pipelines
AI and ML pipelines introduce unique supply chain risks -- from poisoned training data to compromised model registries. Here is what attackers are targeting and how to defend.
Nx s1ngularity: The First AI-Aware Supply Chain Worm
On August 26, 2025, malicious versions of Nx (20.9.0–21.8.0) harvested 2,349 credentials from 1,079 developers and weaponized Claude, Gemini, and Q CLIs to enumerate local secrets.
Open-Weight Model Sandboxing Patterns
Running an open-weight model inside an enterprise perimeter seems safer than calling a hosted API. It is, and it isn't. The sandboxing patterns that actually produce the safety properties.
GPT-5 Launch: Reading the System Card for Supply-Chain Risk
GPT-5 shipped August 13, 2025 under OpenAI's Preparedness Framework v2. Here's what the system card tells security teams about deployment risk.
How Snyk AI-BOM detects MCP servers connected to an appli...
A technical look at how Snyk's AI-BOM statically detects MCP client-server connections in source code, what CycloneDX data it captures, and where its coverage stops.
How Snyk AI-BOM surfaces shadow AI usage that security te...
How Snyk's AI-BOM uses code-level analysis, not manifest parsing, to surface shadow AI models, agent frameworks, and MCP servers security teams don't know are running.
How Snyk's AI-BOM API lets teams query AI component inven...
How Snyk's AI-BOM API exposes AI model and dataset inventories as queryable, CycloneDX-aligned data teams can pull into CI, GRC, and asset tooling programmatically.
How Snyk's AI-SPM approach extends ASPM concepts to AI sy...
How Snyk's Evo AI-SPM extends ASPM's discover-assess-enforce loop to models, datasets, and agents, based on its March 2026 GA launch and public documentation.
The Prompt Injection Problem Hiding Inside Everyday Code ...
AI coding assistants read untrusted files as instructions, not data. Here's how prompt injection sneaks malicious code into your commits — and how to catch it before it ships.
Hallucinated Dependencies: How AI Models Invent Package N...
AI coding assistants regularly invent package names that don't exist — and attackers are registering them first. Here's how slopsquatting works and how to defend against it.