Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Software Supply Chain Security

colors.js and faker.js protestware sabotage

In 2022, maintainer Marak Squires turned colors.js and faker.js into protestware, breaking 19,000+ npm projects and coining a new supply chain threat term.

Jul 5, 20266 min read
Open Source Security

Software Composition Analysis (SCA) Explained

SCA finds every open-source package in your app — but knowing it's there isn't knowing it's exploitable. Here's what Log4Shell, xz, and Snyk's approach got right and wrong.

Jul 4, 20267 min read
Software Supply Chain Security

The Shai-Hulud npm worm campaign

A self-replicating npm worm hit 500+ packages in September 2025 and 796 more in November — here's how Shai-Hulud actually spread, stole secrets, and what stops it.

Jul 4, 20267 min read
Threat Research

Maintainer Account Takeover Attacks: Hijacking Trust in Open Source

A maintainer account takeover lets an attacker publish malicious versions of a trusted package under a legitimate identity. Here is how it happens and how to defend.

Jul 3, 20266 min read
Buyer's Guides

Snyk vs Sonatype: A Neutral Comparison for 2026

Snyk and Sonatype both secure open-source dependencies, but one leads with developer workflow and the other with repository governance and a component firewall. An honest side-by-side, plus a third option.

Jul 3, 20266 min read
Buyer's Guides

Snyk vs Black Duck: A Neutral SCA Comparison for 2026

Snyk and Black Duck are both leaders in open-source security, but they optimize for different buyers — developer velocity versus license and compliance depth. A fair side-by-side, plus where a third option fits.

Jul 2, 20266 min read
Threat Research

What Is Protestware? When Maintainers Weaponize Their Own Packages

Protestware is open-source code a maintainer deliberately alters to make a political or personal statement, sometimes sabotaging users. Here is how it works and how to defend.

Jul 2, 20266 min read
Concepts

What Is Software Composition Analysis (SCA)?

Software Composition Analysis (SCA) identifies the open source and third-party components in your code, then flags their known vulnerabilities and license risks. Here's how SCA works and what separates modern tools from legacy scanners.

Jul 1, 20266 min read
FAQ

Software Composition Analysis (SCA): Frequently Asked Questions

A practical FAQ on software composition analysis in 2026 — what SCA scans, how reachability cuts false positives, transitive dependencies, VEX, and how modern SCA differs from legacy scanners.

Jul 1, 20267 min read
Threat Research

What Is a Malicious Package? Supply-Chain Malware in Open Source

A malicious package is an open-source component built or altered to run attacker code on install or at runtime. Here is how they work, real npm and PyPI cases, and how to defend.

Jul 1, 20266 min read
Software Supply Chain Security

GitHub repo confusion and malware repositories

Fake GitHub repos with forged stars and AI-written READMEs are stealing crypto and credentials. Here's how repo confusion attacks actually work.

Jul 1, 20267 min read
Software Supply Chain Security

Software supply chain attack statistics and trends report

Software supply chain attacks keep climbing year over year. Here are the stats, incidents, and trends security teams need to know in 2026.

Jul 1, 20268 min read
open-source-security (Page 3) — Safeguard Blog