Safeguard
Tag

open-source-risk

Safeguard articles tagged "open-source-risk" — guides, analysis, and best practices for software supply chain and application security.

6 articles

Supply Chain Attacks

Protestware: what colors.js and faker.js taught the industry about maintainer risk

One unpaid maintainer sabotaged two packages with 20M+ weekly downloads in a single week. Here's what colors.js and faker.js reveal about single-maintainer risk.

Jul 16, 20265 min read
Supply Chain Attacks

The string-width-cjs npm packages: a supply chain warm-up, not a breach

One of three empty npm packages aliasing real libraries reached 500+ dependents and 7,274 weekly downloads — with no malicious code found at all.

Jul 8, 20265 min read
Software Supply Chain Security

node-ipc protestware targeting Russia/Belarus IPs

In March 2022, node-ipc's maintainer shipped code wiping files on Russian and Belarusian machines. Here's what happened, how it spread, and how to catch it next time.

Jul 4, 20266 min read
Software Supply Chain Security

Laravel Lang supply chain advisory

A leaked PAT let attackers rewrite 700+ git tags across four Laravel-Lang packages, planting a credential stealer that ran on every PHP request.

Jul 1, 20267 min read
Incident Analysis

Colors.js and Faker.js maintainer sabotage incident

In January 2022, colors.js and faker.js maintainer Marak Squires sabotaged his own packages, breaking thousands of builds—no compromise required.

Nov 7, 20257 min read
Open Source Security

The Hidden Risk of Abandoned Open Source Projects

Abandoned open source projects do not disappear. They continue to be installed, depended upon, and deployed in production. They just stop getting security patches.

Aug 8, 20236 min read
open-source-risk — Safeguard Blog