oidc
Safeguard articles tagged "oidc" — guides, analysis, and best practices for software supply chain and application security.
32 articles
npm Trusted Publishing walkthrough: retiring long-lived publish tokens
npm Trusted Publishing replaces long-lived publish tokens with short-lived OIDC-issued credentials tied to a specific CI workflow. Here is the 2026 rollout state, what the migration actually looks like, and where the rough edges still are.
TanStack and the Mini Shai-Hulud npm Worm (May 2026): Anatomy of a CI-Native Supply Chain Attack
On 11-12 May 2026, the TeamPCP-linked Mini Shai-Hulud worm published 84 malicious artifacts across 42 TanStack npm packages in six minutes, then spread to 160+ packages by abusing GitHub Actions OIDC tokens and CI cache poisoning.
AWS IAM Identity Center Trusted Token Issuer: A Supply Chain Lens
Trusted Token Issuer support in IAM Identity Center lets workloads exchange OIDC tokens for AWS sessions without long-lived keys. Here is how that reshapes build pipeline trust.
CircleCI Orb Trust and Pinning in 2026
How to manage CircleCI orb trust in 2026: certified versus uncertified orbs, version pinning, contexts, OIDC, and the controls that hold under real attacker pressure.
GitLab CI Supply Chain Hardening Checklist 2026
A 2026 hardening checklist for GitLab CI: ID tokens, protected branches, runner isolation, included templates, and the controls that actually shrink blast radius.
PyPI Trusted Publishing Token Leaks in 2025
Trusted Publishing made PyPI safer, but leaked short-lived OIDC tokens in CI logs kicked off a credential-replay campaign that PyPI, GitHub, and Sonatype all tracked in 2025.
Confused Deputy Attacks on CI/CD Service Accounts
Build systems hold broad trust and tight deadlines, which makes them perfect confused deputies. Here is how the attack pattern shows up in modern CI/CD and how to defang it.
How to Rotate Leaked CI Secrets Without Downtime
A leaked CI credential does not have to mean an outage. The dual-credential pattern: issue new alongside old, cut over, verify with usage logs, then revoke — plus what to do after.
GitHub Actions Supply Chain Hardening Checklist 2026
A pragmatic 2026 hardening checklist for GitHub Actions: OIDC, pinned actions, environment protection, reusable workflows, and the controls that actually move risk.
Trusted Publishing Across Every Major Registry: The 2026 State of OIDC-Backed Publishing
By end of 2025, Trusted Publishing landed on PyPI, RubyGems, npm, crates.io, and NuGet. PyPI alone crossed one million Trusted-Publisher uploads. Here is the defender view of the cross-ecosystem rollout.
OIDC (OpenID Connect)
A precise technical answer to "what is OIDC": how OpenID Connect extends OAuth 2.0 with ID tokens, federated identity, and token exchange to secure modern authentication.
GitLab OIDC Token Theft: Workflow Research
GitLab CI OIDC tokens are becoming the keys to cloud kingdoms. Recent research shows how workflow misconfigurations leak them in surprising ways.