open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
Open source dependency risk in e-commerce platforms (Mage...
A practical guide to finding and fixing e-commerce platform dependency risk across Magento plugins, WooCommerce extensions, and Shopify apps before attackers do.
Typosquatting in open source package registries explained
Typosquatting hides malware behind a one-character package name typo. Learn how it works, real incidents, and how to detect it before your build runs.
RubyGems 2019 Multi-CVE Disclosure: Directory Traversal v...
CVE-2019-8320 let malicious RubyGems packages delete arbitrary directories via symlinked gem decompression. Here's the impact, timeline, and how to remediate it.
RubyGems Escape Sequence Injection via Gem Name Output (C...
A look at CVE-2019-8321, the RubyGems escape sequence injection flaw in gem CLI output: affected versions, severity, and how to remediate it.
RubyGems Escape Sequence Injection via Crafted API Respon...
CVE-2019-8322 is a RubyGems flaw where crafted API responses could inject terminal escape sequences, spoofing gem output. Here's what to know and how to fix it.
RubyGems Escape Sequence Injection in Gem Owner Command (...
CVE-2019-8323 shows how RubyGems' gem owner command echoed unsanitized API response data to the terminal, enabling escape sequence injection attacks.
RubyGems Malicious Gem Arbitrary Code Execution via Missi...
CVE-2019-8324 let a malicious RubyGems package run arbitrary code at install time via a crafted multi-line gem name evaluated during the preinstall check.
RubyGems Escape Sequence Injection via Unpack API (CVE-20...
CVE-2019-8325 lets a malicious RubyGems package inject terminal escape sequences via the unpack API. Here's the impact, affected versions, and how to remediate it.
The torchtriton Dependency Confusion Attack on PyTorch-Ni...
How a namespace gap on PyPI let a malicious "torchtriton" package hijack PyTorch-nightly installs for five days, and what it teaches about ML supply chain security.
The 'ctx' PyPI Package Hijack via Expired Maintainer Domain
In 2022, attackers bought an expired domain, reset a PyPI maintainer's email, and hijacked the ctx package to steal environment variables from unsuspecting installs.
node-tar Arbitrary File Write via Symlink Extraction (CVE...
CVE-2021-32803 allows crafted symlinks in tar archives to make node-tar write files outside the extraction directory via malicious npm packages.
node-tar Second Bypass Enabling Arbitrary File Write (CVE...
CVE-2021-32804 let crafted tar archives bypass node-tar path sanitization, enabling arbitrary file writes during npm package extraction.