Safeguard
Tag

software-supply-chain-security

Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

494 articles

Incident Analysis

UAParser.js npm package compromise

A deep dive into the 2021 ua-parser-js npm compromise: how a hijacked maintainer account delivered cryptominers and credential stealers to millions.

Nov 8, 20257 min read
Engineering

Insider Threats in Open Source Projects: Lessons from XZ Utils

The XZ Utils backdoor was a three-year social engineering operation, not a coding mistake. What the timeline shows about maintainer trust, and what you can actually monitor.

Nov 7, 20256 min read
Industry Analysis

Broken Object Property Level Authorization (BOPLA)

BOPLA (OWASP API3:2023) lets APIs correctly check object access while leaking or accepting the wrong fields. Real breaches show why it's so hard to catch.

Nov 7, 20257 min read
Incident Analysis

node-ipc protestware incident

How a trusted maintainer turned node-ipc into "protestware," why transitive dependencies hid the blast radius, and what SBOM visibility could have prevented.

Nov 7, 20257 min read
Incident Analysis

Shai-Hulud self-propagating npm worm campaign

Inside Shai-Hulud, the self-propagating npm worm that hijacked publish tokens to auto-infect hundreds of packages across the JavaScript ecosystem.

Nov 6, 20257 min read
Incident Analysis

lottie-player npm supply chain compromise

A phishing-driven npm token takeover pushed a crypto wallet drainer into lottie-player, hitting 94K weekly downloads before LottieFiles shipped a fix.

Nov 6, 20257 min read
Industry Analysis

Unrestricted Access to Sensitive Business Flows

OWASP's API10:2023 category covers a threat scanners can't see: bots abusing legitimate business flows like checkout and ticketing at scale. Here's how it works.

Nov 6, 20257 min read
Software Supply Chain Security

Best software supply chain risk scoring and rating platforms

A practical, no-hype guide to choosing software supply chain risk scoring platforms — evaluation criteria plus a fair roundup of six real vendors, strengths and limitations included.

Nov 5, 20258 min read
Software Supply Chain Security

Known Vulnerabilities in Dependencies: Detection and Triage

Known vulnerabilities in dependencies aren't a detection problem — they're a triage problem. Here's how CVEs get exploited, why CVSS alone misleads, and how to prioritize fixes.

Nov 4, 20258 min read
Software Supply Chain Security

Name Confusion Attacks: Typosquatting and Brandjacking

Typosquatting and brandjacking let attackers hijack trust in package names instead of writing exploits. Here's how crossenv, PyPI's 2017 campaign, and PyTorch's torchtriton breach actually worked.

Nov 4, 20257 min read
Buyer's Guides

Best open source vulnerability database and threat intell...

A practical buyer's guide to open source vulnerability database tools, CVE aggregation, and threat intel feeds for tracking OSS risk.

Nov 3, 20257 min read
Software Supply Chain Security

Untracked Dependencies in the Software Supply Chain

Most teams can name their direct dependencies but not the hundreds of transitive packages actually running underneath. Here's why that gap is where real supply chain attacks live.

Nov 3, 20257 min read
software-supply-chain-security (Page 35) — Safeguard Blog