Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Open Source Security

Open source dependency risk in e-commerce platforms (Mage...

A practical guide to finding and fixing e-commerce platform dependency risk across Magento plugins, WooCommerce extensions, and Shopify apps before attackers do.

Dec 23, 20257 min read
Vulnerability Analysis

Typosquatting in open source package registries explained

Typosquatting hides malware behind a one-character package name typo. Learn how it works, real incidents, and how to detect it before your build runs.

Dec 7, 20257 min read
Open Source Security

RubyGems 2019 Multi-CVE Disclosure: Directory Traversal v...

CVE-2019-8320 let malicious RubyGems packages delete arbitrary directories via symlinked gem decompression. Here's the impact, timeline, and how to remediate it.

Dec 5, 20258 min read
Open Source Security

RubyGems Escape Sequence Injection via Gem Name Output (C...

A look at CVE-2019-8321, the RubyGems escape sequence injection flaw in gem CLI output: affected versions, severity, and how to remediate it.

Dec 4, 20258 min read
Open Source Security

RubyGems Escape Sequence Injection via Crafted API Respon...

CVE-2019-8322 is a RubyGems flaw where crafted API responses could inject terminal escape sequences, spoofing gem output. Here's what to know and how to fix it.

Dec 4, 20258 min read
Open Source Security

RubyGems Escape Sequence Injection in Gem Owner Command (...

CVE-2019-8323 shows how RubyGems' gem owner command echoed unsanitized API response data to the terminal, enabling escape sequence injection attacks.

Dec 4, 20257 min read
Open Source Security

RubyGems Malicious Gem Arbitrary Code Execution via Missi...

CVE-2019-8324 let a malicious RubyGems package run arbitrary code at install time via a crafted multi-line gem name evaluated during the preinstall check.

Dec 4, 20257 min read
Open Source Security

RubyGems Escape Sequence Injection via Unpack API (CVE-20...

CVE-2019-8325 lets a malicious RubyGems package inject terminal escape sequences via the unpack API. Here's the impact, affected versions, and how to remediate it.

Dec 3, 20258 min read
Open Source Security

The torchtriton Dependency Confusion Attack on PyTorch-Ni...

How a namespace gap on PyPI let a malicious "torchtriton" package hijack PyTorch-nightly installs for five days, and what it teaches about ML supply chain security.

Dec 3, 20257 min read
Open Source Security

The 'ctx' PyPI Package Hijack via Expired Maintainer Domain

In 2022, attackers bought an expired domain, reset a PyPI maintainer's email, and hijacked the ctx package to steal environment variables from unsuspecting installs.

Dec 3, 20257 min read
Open Source Security

node-tar Arbitrary File Write via Symlink Extraction (CVE...

CVE-2021-32803 allows crafted symlinks in tar archives to make node-tar write files outside the extraction directory via malicious npm packages.

Dec 2, 20257 min read
Open Source Security

node-tar Second Bypass Enabling Arbitrary File Write (CVE...

CVE-2021-32804 let crafted tar archives bypass node-tar path sanitization, enabling arbitrary file writes during npm package extraction.

Dec 2, 20257 min read
open-source-security (Page 14) — Safeguard Blog