open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
Packagist's GitHub Webhook Flaw That Could Have Poisoned ...
A 2022 Packagist webhook vulnerability let a crafted GitHub branch name trigger command injection on Packagist's servers, threatening the entire PHP/Composer supply chain.
Compromised maintainer accounts on npm
Recent npm maintainer account takeovers show how a single stolen credential can compromise billions of downloads. Here's the anatomy of the threat—and the defense.
CocoaPods Trunk Server Remote Code Execution (CVE-2024-38...
CVE-2024-38366 exposed a critical remote code execution flaw in the CocoaPods trunk server, threatening the iOS dependency supply chain for years undetected.
CocoaPods Trunk Server Email Verification Bypass Enabling...
CVE-2024-38367 let attackers bypass email verification on the CocoaPods trunk server to take over pod owner accounts, threatening the iOS supply chain. Here's the impact and fix.
Most vulnerable npm packages of the year
Safeguard's 2026 mid-year analysis of the npm registry breaks down the packages driving the most risk and why the same names keep coming back.
CocoaPods Orphaned Pod Takeover Vulnerability (CVE-2024-3...
CVE-2024-38368 let attackers claim orphaned CocoaPods and push malicious code into any iOS or macOS app still depending on them. Here is what to check.
npm package hijacking via expired maintainer domains
Attackers are hijacking npm packages by buying up maintainers' expired email domains to reset account passwords — here's how it works and how to detect it.
NuGet Package Manager Tampering / Spoofing Vulnerability ...
CVE-2019-0757 lets an authenticated attacker tamper with NuGet package contents on Linux/Mac. CVSS 6.5. Affected versions, timeline, and fixes inside.
Node.js runtime CVE roundup
A roundup of Node.js runtime CVEs since 2024 — command injection, HTTP smuggling, permission bypasses, and why runtime flaws evade typical dependency scanners.
Apache Maven's Insecure HTTP Repository Resolution Enabli...
CVE-2021-26291 shows how Apache Maven resolved dependencies over plain HTTP, letting a MITM attacker swap in malicious artifacts during the build.
PyPI typosquatting and malicious package report
A 2026 look at PyPI typosquatting trends: attack patterns, CI/CD targeting, info-stealer payloads, and how to defend the Python supply chain.
RubyGems.org domain takeover risk report
RubyGems.org hasn't adopted the domain-resurrection defenses PyPI rolled out in 2025 — leaving a proven account-takeover technique open across the Ruby ecosystem.