Safeguard
Tag

dependency-security

Safeguard articles tagged "dependency-security" — guides, analysis, and best practices for software supply chain and application security.

51 articles

Best Practices

AppSec anti-patterns to eliminate

23.8M secrets leaked on public GitHub in 2024 alone. Here are the AppSec anti-patterns behind numbers like that — and the concrete practices that replace them.

Jul 14, 20266 min read
AI Security

Can AI-Generated Code Be Trusted? A Security Review

A 2025 USENIX study found LLMs hallucinate nonexistent packages in up to 21.7% of code samples — and attackers are already registering the names.

Jul 13, 20267 min read
Open Source Security

Contributing to open source securely: a guide for new maintainers and PR authors

It took roughly two years of trusted commits before the xz-utils backdoor shipped. Here's how new contributors avoid becoming the next weak link.

Jul 12, 20267 min read
AI Security

A Checklist for Reviewing AI-Generated Code Before It Merges

19.7% of packages LLMs recommend don't exist in real registries, per a 576,000-sample USENIX 2025 study — here's what to check before merging AI-written code.

Jul 8, 20267 min read
Industry Analysis

The State of Open Source Security: What a Year of Disclosure Data Shows

454,600+ new malicious packages hit open-source registries in 2025, and NVD still closed the year with a 27,000-CVE enrichment backlog.

Jul 8, 20266 min read
Supply Chain Attacks

A dormant contributor account just took down the entire Mastra npm scope

One forgotten npm maintainer account let an attacker republish all 142 packages in the @mastra scope in 90 minutes, hitting a package with 4 million monthly downloads.

Jul 7, 20266 min read
Software Supply Chain Security

ua-parser-js npm hijack incident

In 2021, a hijacked npm account pushed cryptomining and password-stealing malware into ua-parser-js for 4 hours. Here's what happened and how to catch it faster.

Jul 5, 20266 min read
Software Supply Chain Security

A forgotten contributor account compromised the Mastra npm scope

A dormant npm account with unrevoked publish rights let attackers trojanize 144 @mastra packages in 88 minutes, dropping a crypto-wallet RAT tied to Sapphire Sleet.

Jun 30, 20266 min read
Software Supply Chain Security

Preventing malicious packages with automated detection

Malicious npm and PyPI packages skip CVEs entirely. Here's how attackers get them published and how automated detection catches them before they ship.

Jun 29, 20266 min read
AI Security

AI hallucinations and their security implications for developers

LLMs hallucinate nonexistent packages in up to 1 in 5 code samples — and slopsquatting attacks are already exploiting that predictability in the wild.

Jun 12, 20266 min read
Application Security

Comparing Node.js frameworks for security: Express, Fastify, NestJS

Express, Fastify, and NestJS compared on real CVE history, default security posture, and dependency risk — plus how to close the gaps framework choice alone can't.

May 24, 20267 min read
Application Security

Using Python libraries for secure network communication

A look at requests, urllib3, cryptography, and paramiko: real CVEs (Terrapin, header leaks), insecure defaults, and how to pin them safely.

May 21, 20266 min read
dependency-security — Safeguard Blog