open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
colors.js and faker.js protestware sabotage
In 2022, maintainer Marak Squires turned colors.js and faker.js into protestware, breaking 19,000+ npm projects and coining a new supply chain threat term.
Software Composition Analysis (SCA) Explained
SCA finds every open-source package in your app — but knowing it's there isn't knowing it's exploitable. Here's what Log4Shell, xz, and Snyk's approach got right and wrong.
The Shai-Hulud npm worm campaign
A self-replicating npm worm hit 500+ packages in September 2025 and 796 more in November — here's how Shai-Hulud actually spread, stole secrets, and what stops it.
Maintainer Account Takeover Attacks: Hijacking Trust in Open Source
A maintainer account takeover lets an attacker publish malicious versions of a trusted package under a legitimate identity. Here is how it happens and how to defend.
Snyk vs Sonatype: A Neutral Comparison for 2026
Snyk and Sonatype both secure open-source dependencies, but one leads with developer workflow and the other with repository governance and a component firewall. An honest side-by-side, plus a third option.
Snyk vs Black Duck: A Neutral SCA Comparison for 2026
Snyk and Black Duck are both leaders in open-source security, but they optimize for different buyers — developer velocity versus license and compliance depth. A fair side-by-side, plus where a third option fits.
What Is Protestware? When Maintainers Weaponize Their Own Packages
Protestware is open-source code a maintainer deliberately alters to make a political or personal statement, sometimes sabotaging users. Here is how it works and how to defend.
What Is Software Composition Analysis (SCA)?
Software Composition Analysis (SCA) identifies the open source and third-party components in your code, then flags their known vulnerabilities and license risks. Here's how SCA works and what separates modern tools from legacy scanners.
Software Composition Analysis (SCA): Frequently Asked Questions
A practical FAQ on software composition analysis in 2026 — what SCA scans, how reachability cuts false positives, transitive dependencies, VEX, and how modern SCA differs from legacy scanners.
What Is a Malicious Package? Supply-Chain Malware in Open Source
A malicious package is an open-source component built or altered to run attacker code on install or at runtime. Here is how they work, real npm and PyPI cases, and how to defend.
GitHub repo confusion and malware repositories
Fake GitHub repos with forged stars and AI-written READMEs are stealing crypto and credentials. Here's how repo confusion attacks actually work.
Software supply chain attack statistics and trends report
Software supply chain attacks keep climbing year over year. Here are the stats, incidents, and trends security teams need to know in 2026.