Safeguard
Tag

dependency-security

Safeguard articles tagged "dependency-security" — guides, analysis, and best practices for software supply chain and application security.

51 articles

AI Security

Slopsquatting (AI package hallucination attack)

Slopsquatting exploits AI coding assistants that hallucinate nonexistent package names, which attackers then register as real, malicious packages.

Mar 2, 20266 min read
Vulnerability Analysis

The event-stream npm Attack Explained

In 2018, a hijacked npm maintainer account turned event-stream into a supply chain weapon against crypto wallets. Here's the full CVE-style breakdown.

Feb 10, 20267 min read
Software Supply Chain Security

Go module proxy security: how GOPROXY and sum.golang.org ...

How GOPROXY and sum.golang.org protect Go builds with caching and checksum verification, and where trust-on-first-use gaps let malicious modules slip through.

Feb 4, 20267 min read
Software Supply Chain Security

Anatomy of a Go module supply chain compromise: lessons f...

Real incidents like the xz-utils backdoor reveal the anatomy of a go module supply chain compromise: maintainer trust, init() execution, and immutable proxy caching.

Feb 3, 20269 min read
Open Source Security

RubyGems supply chain attacks: gem typosquatting and hija...

A look at RubyGems typosquatting and maintainer takeovers: how malicious Ruby gems slip into the supply chain, and what actually stops them.

Feb 3, 20267 min read
Incident Analysis

event-stream / flatmap-stream npm backdoor incident

How a trusted npm maintainer handoff let attackers plant a wallet-draining backdoor in event-stream, and what it still teaches security teams today.

Jan 4, 20266 min read
Software Supply Chain Security

Securing the payment gateway software supply chain

A single compromised script or dependency can silently harvest card data at checkout. Here's what payment gateway supply chain security actually requires in 2026.

Jan 4, 20267 min read
Vulnerability Analysis

path-parse regular expression denial of service (CVE-2021-23343)

A ReDoS flaw in path-parse (CVE-2021-23343) lurks deep in webpack and resolve dependency trees. Here's the impact, timeline, and how to fix it.

Jan 3, 20267 min read
Vulnerability Analysis

Python requests library proxy-auth credential leak (CVE-2023-32681)

CVE-2023-32681 lets Python's requests library leak Proxy-Authorization credentials to destination servers on HTTPS redirects. Here's the impact, timeline, and fix.

Dec 31, 20258 min read
Vulnerability Analysis

How to detect malicious npm packages

Real npm supply chain attacks — event-stream, ua-parser-js, node-ipc, and the 2025 chalk/debug breach — show how to spot and stop malicious packages.

Dec 7, 20256 min read
Open Source Security

State of npm supply chain attacks

Maintainer phishing, self-propagating worms, and mass-download packages compromised: a look at the npm supply chain attack trends reshaping open source risk.

Nov 30, 20257 min read
Open Source Security

Malicious npm packages targeting developers in 2025

A year-end look at 2025's npm supply chain attacks—chalk/debug phishing, the Shai-Hulud worm, and industrialized malware campaigns—and how to defend against them.

Nov 30, 20257 min read
dependency-security (Page 3) — Safeguard Blog