Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Open Source Security

The security risk of LLMs reviving abandoned open-source packages

USENIX Security 2025 found 19.7% of LLM code samples hallucinate a package name — and real, dormant packages carry the same blind trust.

Jul 8, 20267 min read
Supply Chain Attacks

Software supply chain attack trends: what the public incident data shows

Sonatype tracked 454,648 new malicious packages in 2025 alone — over 1.2 million total since it started counting. Here's what three years of incident data reveal.

Jul 8, 20267 min read
Industry Analysis

The State of Open Source Security: What a Year of Disclosure Data Shows

454,600+ new malicious packages hit open-source registries in 2025, and NVD still closed the year with a 27,000-CVE enrichment backlog.

Jul 8, 20266 min read
Supply Chain Attacks

Anatomy of the XZ Utils backdoor: how CVE-2024-3094 nearly compromised SSH on every major Linux distro

A CVSS 10.0 backdoor sat in xz 5.6.0 and 5.6.1 for weeks, hidden in a test file, until 0.5 seconds of extra SSH login latency gave it away.

Jul 8, 20266 min read
Threat Research

Repojacking Explained: Hijacking Abandoned Repository Names

Repojacking lets an attacker claim a renamed or deleted GitHub namespace and serve malicious code to everyone still referencing the old path. Here is how it works.

Jul 7, 20266 min read
Open Source Security

Managing Open Source Component Risk at Scale

A modern app's dozen direct dependencies can resolve into thousands of transitive packages — and CVE-2024-3094 proved a single unmaintained one is enough to backdoor SSH itself.

Jul 7, 20268 min read
Open Source Security

Native-extension vulnerabilities in Python packages

numpy, pandas, cryptography, and lxml all ship compiled C/C++ code — and a Python SCA scan that only checks package versions can miss memory-safety bugs buried in that native layer.

Jul 7, 20266 min read
Supply Chain Attacks

Malicious code in scoped npm packages: what the Miasma attack teaches

32 releases under the trusted @redhat-cloud-services npm scope shipped credential-stealing malware in June 2026 — with valid SLSA provenance attached.

Jul 7, 20267 min read
Open Source Security

Protestware via prompt injection: when maintainers target AI agents

jqwik 1.10.0 shipped a hidden instruction telling AI coding agents to delete their own tests, then erased it from the terminal with ANSI codes — protestware built for agents, not humans.

Jul 7, 20267 min read
Open Source Security

Should open source maintainers get free enterprise security tooling?

80-90% of the average codebase is open source, built largely by unpaid maintainers — Snyk's year-old maintainer program now covers 60+ projects for free.

Jul 7, 20266 min read
Threat Research

Transitive Dependency Risk Explained: The Code You Never Chose

Transitive dependencies are the packages your dependencies pull in, and they make up most of your codebase. Here is why they are risky and how to manage them.

Jul 6, 20266 min read
Software Supply Chain Security

The XZ Utils backdoor CVE-2024-3094 explained

CVE-2024-3094 hid a remote-access backdoor inside xz-utils via a years-long social engineering campaign. Here's the timeline, impact, and fix.

Jul 5, 20267 min read
open-source-security (Page 2) — Safeguard Blog