open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
CocoaPods trunk supply chain vulnerability report
Three CocoaPods trunk server flaws sat unpatched for a decade, exposing 1,866 orphaned pods to takeover. Here's what happened and how to defend your dependencies.
Swift Package Manager vulnerability trends
Typosquats, thin CVE coverage, and an executable manifest format: inside the Swift Package Manager vulnerability trends security teams can't ignore.
Malicious iOS SDKs and CocoaPods report
CocoaPods trunk server CVEs and the SourMint SDK scandal reveal how malicious iOS SDKs and pods slip past App Review for years.
Mobile app dependency vulnerability trends
Mobile apps now ship more third-party code than first-party. Safeguard's analysis breaks down where dependency vulnerabilities cluster and why.
The XZ Utils backdoor: anatomy of a supply chain attack
A two-year maintainer-trust takeover placed a pre-auth SSH backdoor inside xz-utils. Heres how CVE-2024-3094 was built, hidden, and caught in time.
Insider Threats in Open Source Projects: Lessons from XZ Utils
The XZ Utils backdoor was a three-year social engineering operation, not a coding mistake. What the timeline shows about maintainer trust, and what you can actually monitor.
PHP Git server compromise incident (2021)
In 2021, attackers pushed a hidden RCE backdoor into PHP's own source repo under forged maintainer names — a supply chain near-miss worth revisiting.
node-ipc protestware incident
How a trusted maintainer turned node-ipc into "protestware," why transitive dependencies hid the blast radius, and what SBOM visibility could have prevented.
Best open source audit tools for M&A due diligence
A practical buyer's guide to open source audit tools for M&A due diligence, comparing ScanCode, FOSSology, ORT, Syft/Grype, FOSSA, and Black Duck.
Compromise of Legitimate Upstream Packages
From xz-utils to polyfill.io, attackers increasingly compromise packages developers already trust rather than planting fakes. Here's how these attacks work and how Safeguard catches them.
Name Confusion Attacks: Typosquatting and Brandjacking
Typosquatting and brandjacking let attackers hijack trust in package names instead of writing exploits. Here's how crossenv, PyPI's 2017 campaign, and PyTorch's torchtriton breach actually worked.
Unmaintained Open Source Software: A Supply Chain Risk
Unmaintained open source components quietly power critical software until a bug hits and no one is left to patch it. Here's the risk, and how to manage it.