open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
npm dependency confusion attacks against private package ...
How npm dependency confusion lets attackers hijack internal package names on public registries — and why private npm registry security gaps still leave teams exposed.
Maven and Gradle dependency supply chain attacks in the J...
How attackers exploit Maven Central and the Gradle Plugin Portal — dependency confusion, malicious artifacts, and plugin takeovers — and how to defend Java builds.
Auditing Spring Boot dependencies with OWASP Dependency-C...
A step-by-step spring boot dependency audit using OWASP Dependency-Check and Snyk, from Maven setup to CI automation and finding reconciliation.
What is a Malicious Commit / Compromised Maintainer Account
When an attacker steals a maintainer's credentials, every user of that package inherits the compromise. Here's how it happens and how to catch it.
XZ Utils backdoor discovery (CVE-2024-3094)
A deep dive into CVE-2024-3094, the XZ Utils backdoor: affected versions, CVSS/EPSS context, full attack timeline, and remediation steps.
Best Free Security Tools for Bootstrapped Startups in 2026
A zero-budget security stack that actually covers the top risks: SCA, secrets scanning, SAST, container scanning, and DAST — plus what each free tool won't do.
event-stream / flatmap-stream npm backdoor incident
How a trusted npm maintainer handoff let attackers plant a wallet-draining backdoor in event-stream, and what it still teaches security teams today.
CVE analysis: critical vulnerabilities in open source fin...
Log4Shell, Spring4Shell, and the Struts flaw behind Equifax: real CVEs still lurking in banking and fintech open source stacks, with fixes and detection tips.
urllib3 regular expression denial of service (CVE-2021-33503)
A deep dive into CVE-2021-33503, the urllib3 ReDoS flaw in Python's core HTTP library, its real-world exposure, and how to remediate it.
ctx and colourama PyPI typosquat malware incident
The ctx and colourama PyPI typosquatting malware incident shows how account takeover and name-squatting delivered credential-stealing code to devs.
How to manage open source risk in telecom OSS/BSS softwar...
A practical guide to managing telecom OSS/BSS open source risk—from SBOM inventory to dependency scanning—so carrier billing and network software stays secure.
How to vet open source software before deployment in tele...
A seven-step process for vetting open source telecom core network components — SBOMs, signature verification, protocol fuzzing, and procurement sign-off — before they reach production.