Safeguard
Tag

nuget

Safeguard articles tagged "nuget" — guides, analysis, and best practices for software supply chain and application security.

20 articles

Supply Chain Attacks

The Moq NuGet incident: how a mocking library harvested developer emails

In August 2023, Moq v4.20.0 quietly ran git config at build time and phoned home 10,356 times before anyone pulled it — via a dependency nobody vetted.

Jul 8, 20266 min read
Security Guides

.NET Dependency Vulnerability Scanning: A Practical Guide

How to scan .NET dependencies for known vulnerabilities using dotnet list package, NuGet audit, and reachability-aware SCA, and how to wire it into CI so nothing ships with a known critical.

Jul 4, 20265 min read
Security Guides

Scanning NuGet Packages for Vulnerabilities in .NET

The .NET SDK ships a built-in vulnerability scanner: dotnet list package --vulnerable. Here is how to audit NuGet dependencies with it — and where to go beyond it.

Jul 4, 20265 min read
Security Guides

NuGet Supply Chain Security: Protecting Your .NET Dependencies

How NuGet supply chain attacks work, from dependency confusion to typosquatting, and the concrete controls, lock files, source mapping, and signing, that lock down your .NET build.

Jul 4, 20265 min read
Supply Chain

NuGet's September 2025 Trusted Publishing Launch and the 2026 Signing Roadmap

NuGet became the fifth major registry to ship Trusted Publishing in September 2025, with .NET package signing and ID prefix reservation forming a complete trust-signal stack for the ecosystem.

May 12, 20266 min read
Open Source Security

NuGet Package Signing Status in 2026

NuGet package signing has quietly become one of the stricter supply chain stories in mainstream ecosystems. Here is what .NET teams actually need to know.

Feb 17, 20267 min read
Open Source Security

NuGet Package Manager Tampering / Spoofing Vulnerability ...

CVE-2019-0757 lets an authenticated attacker tamper with NuGet package contents on Linux/Mac. CVSS 6.5. Affected versions, timeline, and fixes inside.

Nov 29, 20257 min read
Engineering

Securing the .NET NuGet Supply Chain

Package source mapping, packages.lock.json, NuGetAudit and signature verification — .NET ships more built-in supply chain controls than any other ecosystem. Most teams enable none of them.

Nov 24, 20256 min read
Open Source Security

How Snyk scans NuGet and .NET project files for vulnerabl...

How Snyk resolves NuGet and .NET dependency graphs from csproj, packages.config, and project.assets.json files to find vulnerable packages.

Aug 24, 20257 min read
Open Source Security

NuGet Signed Packages Verification

NuGet supports signed packages — author signatures, repository signatures, and verification modes. A practical guide to enforcing it properly.

Nov 22, 20245 min read
Open Source Security

dotnet restore Reproducibility Concerns

dotnet restore is supposed to be deterministic. In practice it is deterministic in ways that matter less and non-deterministic in ways that matter more.

Oct 12, 20247 min read
Vulnerability Management

NuGet Package Vulnerabilities Dashboard

Listing every CVE in your NuGet dependency tree is easy. Turning it into a dashboard someone can act on is the work. A practical design.

Aug 15, 20245 min read
nuget — Safeguard Blog