Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Open Source Security

Case study: a malicious NuGet package compromise and its ...

Inside the Moq/SponsorLink malicious NuGet package incident: what shipped, who was exposed, and how to harden your .NET build pipeline against the next one.

Jan 30, 20268 min read
Open Source Security

Swift Package Manager dependency resolution and pinning s...

SPM trusts mutable git tags, not signed artifacts. Here's how dependency resolution, Package.resolved integrity, and pinning gaps expose Swift apps to supply chain attacks.

Jan 30, 20266 min read
Open Source Security

Maven Central dependency confusion and namespace collisio...

How Maven's groupId system and multi-repo resolution let attackers slip malicious packages into Java builds — and how to close the internal vs public repo gap.

Jan 29, 20267 min read
Open Source Security

Scanning Kotlin and Android projects with OWASP Dependenc...

A step-by-step guide to scanning Kotlin and Android projects with OWASP Dependency-Check: Gradle plugin setup, CI automation, triage, and suppressions.

Jan 29, 20268 min read
Open Source Security

PyPI typosquatting and malicious Python packages targetin...

PyPI typosquatting lets attackers slip malicious Python packages into your build with one typo. Real attacks, why PyPI is exposed, and how to stay safe.

Jan 28, 20267 min read
Open Source Security

Pinning Python dependencies: requirements.txt vs Poetry a...

A practical guide to python dependency pinning with requirements.txt, pip-tools, and Poetry — locked, hash-verified builds instead of moving-target dependencies.

Jan 27, 20268 min read
Open Source Security

Auditing Python dependencies with pip-audit and Safety

A hands-on pip-audit tutorial covering Python dependency scanning, Safety CLI comparisons, and a workflow for catching PyPI vulnerabilities before release.

Jan 27, 20267 min read
Open Source Security

Auditing Rails applications' Gemfile for vulnerable depen...

A practical guide to auditing your Rails Gemfile and Gemfile.lock for vulnerable dependencies using bundler-audit, from triage through CI automation.

Jan 26, 20268 min read
Open Source Security

PyPI malware campaigns targeting machine learning and dat...

PyPI malware ML packages have hit PyTorch and Ultralytics YOLO via dependency confusion and CI/CD compromise. What happened, and how to defend your ML supply chain.

Jan 25, 20269 min read
Open Source Security

npm supply chain attacks via malicious postinstall scripts

How a single postinstall hook in a compromised npm package can run malware at install time, real incidents from 2018-2025, and how to defend against it.

Jan 25, 20267 min read
Open Source Security

package-lock.json integrity checks and the npm audit work...

A step-by-step guide to verifying package-lock.json integrity, running npm audit correctly, and scanning Node.js dependencies for tampering and vulnerabilities.

Jan 24, 20268 min read
Industry Analysis

State of Open Source Security Report Overview

Open source vulnerabilities tripled in six years, but 70-85% aren't even reachable. A data-driven look at the real state of open source security in 2026.

Jan 24, 20267 min read
open-source-security (Page 12) — Safeguard Blog