software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
Build Pipeline Compromise: When the Factory Ships the Malware
A build pipeline compromise injects malicious code during CI/CD, so the software you sign and ship is already backdoored. Here is how it works and how to defend.
node-ipc protestware targeting Russia/Belarus IPs
In March 2022, node-ipc's maintainer shipped code wiping files on Russian and Belarusian machines. Here's what happened, how it spread, and how to catch it next time.
SBOMs and Executive Order 14028: how a 2021 order reshaped software supply chain policy
Executive Order 14028 made the software bill of materials a matter of federal policy. Here's the story of how it happened, what it requires, and what it means for you in 2026.
What Is a Security Patch
A security patch is a small update that fixes a specific flaw in software. Here is what patches are, why applying them quickly matters, and how teams manage them.
The Shai-Hulud npm worm campaign
A self-replicating npm worm hit 500+ packages in September 2025 and 796 more in November — here's how Shai-Hulud actually spread, stole secrets, and what stops it.
Mini Shai-Hulud hits TanStack npm packages
TeamPCP's Mini Shai-Hulud worm hijacked 42 TanStack npm packages via stolen GitHub OIDC tokens, spreading to 169 packages with valid SLSA attestations.
CMMC 2.0 Explained: What Defense Contractors and Their Software Must Do
CMMC 2.0 turns NIST SP 800-171 into a certification requirement for the defense supply chain. Here's how the three levels work, who assesses them, and where your software components fit.
FedRAMP and the software supply chain: a 2026 guide
FedRAMP authorization increasingly hinges on how you secure your software supply chain. Here's how the SR control family, SBOMs, and SSDF attestation fit together.
Maintainer Account Takeover Attacks: Hijacking Trust in Open Source
A maintainer account takeover lets an attacker publish malicious versions of a trusted package under a legitimate identity. Here is how it happens and how to defend.
What Is a Software Dependency
A software dependency is outside code your program relies on to run. Here is what dependencies are, why modern apps have so many, and why they matter for security.
tj-actions/changed-files GitHub Action compromise
How the tj-actions/changed-files GitHub Action compromise (CVE-2025-30066) leaked CI/CD secrets from 23,000+ repos, and how to prevent it.
GitHub Advanced Security alternatives: why teams look bey...
GitHub Advanced Security works well inside GitHub — but multi-SCM estates, independent CVE data needs, and AI-agent workflows push teams to look further. Here's a grounded comparison.