software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
UAParser.js npm package compromise
A deep dive into the 2021 ua-parser-js npm compromise: how a hijacked maintainer account delivered cryptominers and credential stealers to millions.
Insider Threats in Open Source Projects: Lessons from XZ Utils
The XZ Utils backdoor was a three-year social engineering operation, not a coding mistake. What the timeline shows about maintainer trust, and what you can actually monitor.
Broken Object Property Level Authorization (BOPLA)
BOPLA (OWASP API3:2023) lets APIs correctly check object access while leaking or accepting the wrong fields. Real breaches show why it's so hard to catch.
node-ipc protestware incident
How a trusted maintainer turned node-ipc into "protestware," why transitive dependencies hid the blast radius, and what SBOM visibility could have prevented.
Shai-Hulud self-propagating npm worm campaign
Inside Shai-Hulud, the self-propagating npm worm that hijacked publish tokens to auto-infect hundreds of packages across the JavaScript ecosystem.
lottie-player npm supply chain compromise
A phishing-driven npm token takeover pushed a crypto wallet drainer into lottie-player, hitting 94K weekly downloads before LottieFiles shipped a fix.
Unrestricted Access to Sensitive Business Flows
OWASP's API10:2023 category covers a threat scanners can't see: bots abusing legitimate business flows like checkout and ticketing at scale. Here's how it works.
Best software supply chain risk scoring and rating platforms
A practical, no-hype guide to choosing software supply chain risk scoring platforms — evaluation criteria plus a fair roundup of six real vendors, strengths and limitations included.
Known Vulnerabilities in Dependencies: Detection and Triage
Known vulnerabilities in dependencies aren't a detection problem — they're a triage problem. Here's how CVEs get exploited, why CVSS alone misleads, and how to prioritize fixes.
Name Confusion Attacks: Typosquatting and Brandjacking
Typosquatting and brandjacking let attackers hijack trust in package names instead of writing exploits. Here's how crossenv, PyPI's 2017 campaign, and PyTorch's torchtriton breach actually worked.
Best open source vulnerability database and threat intell...
A practical buyer's guide to open source vulnerability database tools, CVE aggregation, and threat intel feeds for tracking OSS risk.
Untracked Dependencies in the Software Supply Chain
Most teams can name their direct dependencies but not the hundreds of transitive packages actually running underneath. Here's why that gap is where real supply chain attacks live.