dependency-security
Safeguard articles tagged "dependency-security" — guides, analysis, and best practices for software supply chain and application security.
51 articles
Slopsquatting (AI package hallucination attack)
Slopsquatting exploits AI coding assistants that hallucinate nonexistent package names, which attackers then register as real, malicious packages.
The event-stream npm Attack Explained
In 2018, a hijacked npm maintainer account turned event-stream into a supply chain weapon against crypto wallets. Here's the full CVE-style breakdown.
Go module proxy security: how GOPROXY and sum.golang.org ...
How GOPROXY and sum.golang.org protect Go builds with caching and checksum verification, and where trust-on-first-use gaps let malicious modules slip through.
Anatomy of a Go module supply chain compromise: lessons f...
Real incidents like the xz-utils backdoor reveal the anatomy of a go module supply chain compromise: maintainer trust, init() execution, and immutable proxy caching.
RubyGems supply chain attacks: gem typosquatting and hija...
A look at RubyGems typosquatting and maintainer takeovers: how malicious Ruby gems slip into the supply chain, and what actually stops them.
event-stream / flatmap-stream npm backdoor incident
How a trusted npm maintainer handoff let attackers plant a wallet-draining backdoor in event-stream, and what it still teaches security teams today.
Securing the payment gateway software supply chain
A single compromised script or dependency can silently harvest card data at checkout. Here's what payment gateway supply chain security actually requires in 2026.
path-parse regular expression denial of service (CVE-2021-23343)
A ReDoS flaw in path-parse (CVE-2021-23343) lurks deep in webpack and resolve dependency trees. Here's the impact, timeline, and how to fix it.
Python requests library proxy-auth credential leak (CVE-2023-32681)
CVE-2023-32681 lets Python's requests library leak Proxy-Authorization credentials to destination servers on HTTPS redirects. Here's the impact, timeline, and fix.
How to detect malicious npm packages
Real npm supply chain attacks — event-stream, ua-parser-js, node-ipc, and the 2025 chalk/debug breach — show how to spot and stop malicious packages.
State of npm supply chain attacks
Maintainer phishing, self-propagating worms, and mass-download packages compromised: a look at the npm supply chain attack trends reshaping open source risk.
Malicious npm packages targeting developers in 2025
A year-end look at 2025's npm supply chain attacks—chalk/debug phishing, the Shai-Hulud worm, and industrialized malware campaigns—and how to defend against them.