open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
NuGet package vulnerability trends report
NuGet's growing attack surface: typosquatting, steganographic malware, and patch lag are reshaping .NET supply chain risk in 2026 — here's what the data shows.
Malicious NuGet packages targeting .NET developers
A fresh wave of malicious NuGet packages is hitting .NET developers via typosquatting, MSBuild-triggered code, and IL weaving. Here's what's happening and how to respond.
.NET deserialization vulnerability landscape
A look at the .NET deserialization vulnerability landscape — from the 2025 ASP.NET machine key crisis to BinaryFormatter's retirement and Telerik exploits.
NuGet typosquatting campaign report
Four disclosed NuGet typosquatting campaigns since 2024 reveal a shift toward patient, audience-specific attacks — from ICS time bombs to wallet-draining homoglyphs.
Compromised NuGet author accounts
NuGet maintainer accounts are the .NET supply chain's weakest link. Here's why account takeover beats typosquatting, and how to detect it before a CVE exists.
Most vulnerable .NET libraries report
Safeguard's H1 2026 analysis of 41,000+ .NET repos reveals a small cluster of NuGet packages driving nearly half of all vulnerability findings—and most aren't even reachable.
ASP.NET Core vulnerability trends
A data-driven look at ASP.NET Core's recurring CVE patterns — DoS in Kestrel/SignalR, deserialization bugs, and NuGet supply chain risk — and how to triage what matters.
NuGet dependency confusion risk report
NuGet's default feed-resolution behavior keeps dependency confusion risk elevated across .NET orgs. Here's what the incident history shows, and how to close the gap.
Best open source license compliance tools
A practical comparison of open source license compliance tools—FOSSA, Mend, Black Duck, Snyk, and more—covering detection accuracy, policy engines, and SBOM support.
Composer package vulnerability trends report
Composer package vulnerabilities rose 34% YoY, with 60%+ arriving via transitive dependencies. Safeguard breaks down the trends and what security teams should do.
Malicious Composer packages on Packagist
Three malicious Composer package campaigns hit Packagist in under a year -- each sitting undetected for months. Here's what happened and how to catch the next one faster.
WordPress plugin vulnerability trends
WordPress plugin CVEs keep climbing and exploitation windows keep shrinking. Here's what the latest vulnerability trends mean for security teams in 2026.