Safeguard
Tag

software-supply-chain-security

Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

494 articles

Software Supply Chain Security

The Ultralytics AI pwn request supply chain attack

How a malicious pull request, a poisoned GitHub Actions cache, and a stored PyPI token turned the Ultralytics YOLO package into a cryptominer.

Jul 3, 20267 min read
Software Supply Chain Security

Axios npm package RAT supply chain compromise

A compromised maintainer account pushed malicious axios releases carrying a cross-platform RAT to npm on March 31, 2026 — here's the full timeline and IOCs.

Jul 3, 20267 min read
Compliance

HIPAA compliance for developers: securing the software supply chain

HIPAA does not name your open source dependencies, but its Security Rule holds you responsible for them. Here's what developers building health-tech actually need to do.

Jul 2, 20266 min read
FAQ

Best Software Supply Chain Security Tools (2026): An Honest FAQ

A balanced 2026 FAQ on the best software supply chain security tools — how Snyk, Black Duck, Sonatype, Socket, JFrog, Wiz, and Safeguard actually differ, and how to pick for your own repos.

Jul 2, 20266 min read
Compliance

PCI DSS 4.0 for developers: a practical secure-coding guide

PCI DSS 4.0 moved secure development from an annual review to a continuous engineering practice. Here's what Requirement 6 means for developers writing and shipping code.

Jul 2, 20265 min read
Threat Research

What Is Protestware? When Maintainers Weaponize Their Own Packages

Protestware is open-source code a maintainer deliberately alters to make a political or personal statement, sometimes sabotaging users. Here is how it works and how to defend.

Jul 2, 20266 min read
Vulnerability Analysis

Log4j Log4Shell vulnerability explained CVE-2021-44228

Log4Shell (CVE-2021-44228) let attackers gain RCE via a single logged string. Here's the CVSS/EPSS/KEV context, timeline, and how to remediate it.

Jul 2, 20267 min read
Software Supply Chain Security

PyPI typosquatting malicious packages

PyPI typosquatting tricks developers into installing malicious lookalike packages via one-letter typos. Real incidents, attack patterns, and defenses inside.

Jul 2, 20265 min read
Software Supply Chain Security

RubyGems strong_password malicious version RCE

In 2019, attackers hijacked the strong_password RubyGems account and shipped a backdoored v0.0.7 that let them eval() code in production Rails apps.

Jul 2, 20267 min read
FAQ

Safeguard Platform FAQ: Software Supply Chain Security Answered

A plain-English FAQ about the Safeguard platform — what it covers, how the pieces fit together, and how it differs from a traditional scanner-plus-dashboard stack.

Jul 1, 20265 min read
FAQ

Software Supply Chain Security FAQ: 2026 Answers

Plain answers to the most common questions about software supply chain security in 2026 — what it covers, why SBOMs matter, how SLSA and provenance fit, and where to start.

Jul 1, 20266 min read
Software Supply Chain Security

Understanding dependency confusion via npm package aliasing

npm's `npm:` alias syntax lets a trusted-looking dependency name resolve to attacker-controlled code — here's how that becomes dependency confusion, and how to detect it.

Jul 1, 20267 min read
software-supply-chain-security (Page 4) — Safeguard Blog