Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Open Source Security

Hallucinated Dependencies: How AI Models Invent Package N...

AI coding assistants regularly invent package names that don't exist — and attackers are registering them first. Here's how slopsquatting works and how to defend against it.

Aug 7, 20257 min read
Concepts

What Is a Lockfile?

A lockfile pins the exact versions and hashes of every dependency your build resolves. Here is how lockfiles make builds reproducible and why they are central to supply chain integrity.

Aug 5, 20255 min read
Open Source Security

Anatomy of a Typosquatting Campaign: How Attackers Pick T...

Real typosquatting campaigns follow a repeatable playbook: target selection, edit-distance tricks, and install-time payloads. Here's how attackers actually pick their targets.

Aug 2, 20257 min read
Open Source Security

Dependency Confusion Attacks Five Years Later: Are Enterp...

Five years after Alex Birsan's $130K dependency confusion disclosure, real attacks like PyTorch's torchtriton incident show the flaw is still live. Here's what's actually fixed.

Aug 2, 20256 min read
Open Source Security

Why Malicious Package Counts Are Rising Faster Than Detec...

Malicious packages hit 245,000+ in 2023 alone, outpacing 2019-2022 combined. Here's why detection tooling can't keep up, and how the gap actually closes.

Aug 2, 20258 min read
Open Source Security

Post-Install Scripts: The Overlooked Execution Point Atta...

Postinstall scripts run automatically on `npm install` with full user privileges—no review required. Here's how attackers exploit them, from ua-parser-js to Shai-Hulud.

Aug 1, 20258 min read
Open Source Security

Protestware and Sabotage: When Maintainers Turn Against T...

Protestware turns trusted maintainers into insider threats. See how node-ipc, colors.js, and left-pad became sabotage vectors, and how Safeguard catches the next one.

Aug 1, 20257 min read
Open Source Security

Credential-Stealing Packages: What They Target and How Th...

Credential-stealing packages harvest env vars, browser passwords, and npm tokens at install time. Here's how ctx, W4SP, and Shai-Hulud actually work.

Aug 1, 20257 min read
Open Source Security

The Economics of Publishing Fake Packages at Scale

Publishing a malicious package costs an attacker almost nothing while payouts run into the millions. Here's the cost-benefit math behind fake packages — and how to break it.

Jul 31, 20256 min read
Open Source Security

How Package Takeover via Maintainer Account Compromise Ac...

Attackers don't hack npm's servers — they phish or socially engineer maintainers. Here's how account takeover turns trusted packages into malware.

Jul 31, 20257 min read
Open Source Security

Supply Chain Worming: Self-Propagating Malicious Packages...

How the Shai-Hulud npm worm self-propagated across 500+ packages in 48 hours by stealing tokens and republishing itself — and how to stop the next one.

Jul 31, 20257 min read
Open Source Security

Reconstructing a Real-World Dependency Confusion Incident...

A step-by-step reconstruction of a real dependency confusion attack, from malicious package upload to remediation, and how to defend your pipeline.

Jul 31, 20257 min read
open-source-security (Page 26) — Safeguard Blog