Safeguard
Tag

software-supply-chain-security

Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

494 articles

Threat Research

Build Pipeline Compromise: When the Factory Ships the Malware

A build pipeline compromise injects malicious code during CI/CD, so the software you sign and ship is already backdoored. Here is how it works and how to defend.

Jul 4, 20266 min read
Software Supply Chain Security

node-ipc protestware targeting Russia/Belarus IPs

In March 2022, node-ipc's maintainer shipped code wiping files on Russian and Belarusian machines. Here's what happened, how it spread, and how to catch it next time.

Jul 4, 20266 min read
Compliance

SBOMs and Executive Order 14028: how a 2021 order reshaped software supply chain policy

Executive Order 14028 made the software bill of materials a matter of federal policy. Here's the story of how it happened, what it requires, and what it means for you in 2026.

Jul 4, 20265 min read
Concepts

What Is a Security Patch

A security patch is a small update that fixes a specific flaw in software. Here is what patches are, why applying them quickly matters, and how teams manage them.

Jul 4, 20266 min read
Software Supply Chain Security

The Shai-Hulud npm worm campaign

A self-replicating npm worm hit 500+ packages in September 2025 and 796 more in November — here's how Shai-Hulud actually spread, stole secrets, and what stops it.

Jul 4, 20267 min read
Software Supply Chain Security

Mini Shai-Hulud hits TanStack npm packages

TeamPCP's Mini Shai-Hulud worm hijacked 42 TanStack npm packages via stolen GitHub OIDC tokens, spreading to 169 packages with valid SLSA attestations.

Jul 4, 20267 min read
Compliance

CMMC 2.0 Explained: What Defense Contractors and Their Software Must Do

CMMC 2.0 turns NIST SP 800-171 into a certification requirement for the defense supply chain. Here's how the three levels work, who assesses them, and where your software components fit.

Jul 3, 20266 min read
Compliance

FedRAMP and the software supply chain: a 2026 guide

FedRAMP authorization increasingly hinges on how you secure your software supply chain. Here's how the SR control family, SBOMs, and SSDF attestation fit together.

Jul 3, 20265 min read
Threat Research

Maintainer Account Takeover Attacks: Hijacking Trust in Open Source

A maintainer account takeover lets an attacker publish malicious versions of a trusted package under a legitimate identity. Here is how it happens and how to defend.

Jul 3, 20266 min read
Concepts

What Is a Software Dependency

A software dependency is outside code your program relies on to run. Here is what dependencies are, why modern apps have so many, and why they matter for security.

Jul 3, 20266 min read
Software Supply Chain Security

tj-actions/changed-files GitHub Action compromise

How the tj-actions/changed-files GitHub Action compromise (CVE-2025-30066) leaked CI/CD secrets from 23,000+ repos, and how to prevent it.

Jul 3, 20266 min read
Buyer's Guides

GitHub Advanced Security alternatives: why teams look bey...

GitHub Advanced Security works well inside GitHub — but multi-SCM estates, independent CVE data needs, and AI-agent workflows push teams to look further. Here's a grounded comparison.

Jul 3, 20267 min read
software-supply-chain-security (Page 3) — Safeguard Blog