open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
Case study: a malicious NuGet package compromise and its ...
Inside the Moq/SponsorLink malicious NuGet package incident: what shipped, who was exposed, and how to harden your .NET build pipeline against the next one.
Swift Package Manager dependency resolution and pinning s...
SPM trusts mutable git tags, not signed artifacts. Here's how dependency resolution, Package.resolved integrity, and pinning gaps expose Swift apps to supply chain attacks.
Maven Central dependency confusion and namespace collisio...
How Maven's groupId system and multi-repo resolution let attackers slip malicious packages into Java builds — and how to close the internal vs public repo gap.
Scanning Kotlin and Android projects with OWASP Dependenc...
A step-by-step guide to scanning Kotlin and Android projects with OWASP Dependency-Check: Gradle plugin setup, CI automation, triage, and suppressions.
PyPI typosquatting and malicious Python packages targetin...
PyPI typosquatting lets attackers slip malicious Python packages into your build with one typo. Real attacks, why PyPI is exposed, and how to stay safe.
Pinning Python dependencies: requirements.txt vs Poetry a...
A practical guide to python dependency pinning with requirements.txt, pip-tools, and Poetry — locked, hash-verified builds instead of moving-target dependencies.
Auditing Python dependencies with pip-audit and Safety
A hands-on pip-audit tutorial covering Python dependency scanning, Safety CLI comparisons, and a workflow for catching PyPI vulnerabilities before release.
Auditing Rails applications' Gemfile for vulnerable depen...
A practical guide to auditing your Rails Gemfile and Gemfile.lock for vulnerable dependencies using bundler-audit, from triage through CI automation.
PyPI malware campaigns targeting machine learning and dat...
PyPI malware ML packages have hit PyTorch and Ultralytics YOLO via dependency confusion and CI/CD compromise. What happened, and how to defend your ML supply chain.
npm supply chain attacks via malicious postinstall scripts
How a single postinstall hook in a compromised npm package can run malware at install time, real incidents from 2018-2025, and how to defend against it.
package-lock.json integrity checks and the npm audit work...
A step-by-step guide to verifying package-lock.json integrity, running npm audit correctly, and scanning Node.js dependencies for tampering and vulnerabilities.
State of Open Source Security Report Overview
Open source vulnerabilities tripled in six years, but 70-85% aren't even reachable. A data-driven look at the real state of open source security in 2026.