software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
The Ultralytics AI pwn request supply chain attack
How a malicious pull request, a poisoned GitHub Actions cache, and a stored PyPI token turned the Ultralytics YOLO package into a cryptominer.
Axios npm package RAT supply chain compromise
A compromised maintainer account pushed malicious axios releases carrying a cross-platform RAT to npm on March 31, 2026 — here's the full timeline and IOCs.
HIPAA compliance for developers: securing the software supply chain
HIPAA does not name your open source dependencies, but its Security Rule holds you responsible for them. Here's what developers building health-tech actually need to do.
Best Software Supply Chain Security Tools (2026): An Honest FAQ
A balanced 2026 FAQ on the best software supply chain security tools — how Snyk, Black Duck, Sonatype, Socket, JFrog, Wiz, and Safeguard actually differ, and how to pick for your own repos.
PCI DSS 4.0 for developers: a practical secure-coding guide
PCI DSS 4.0 moved secure development from an annual review to a continuous engineering practice. Here's what Requirement 6 means for developers writing and shipping code.
What Is Protestware? When Maintainers Weaponize Their Own Packages
Protestware is open-source code a maintainer deliberately alters to make a political or personal statement, sometimes sabotaging users. Here is how it works and how to defend.
Log4j Log4Shell vulnerability explained CVE-2021-44228
Log4Shell (CVE-2021-44228) let attackers gain RCE via a single logged string. Here's the CVSS/EPSS/KEV context, timeline, and how to remediate it.
PyPI typosquatting malicious packages
PyPI typosquatting tricks developers into installing malicious lookalike packages via one-letter typos. Real incidents, attack patterns, and defenses inside.
RubyGems strong_password malicious version RCE
In 2019, attackers hijacked the strong_password RubyGems account and shipped a backdoored v0.0.7 that let them eval() code in production Rails apps.
Safeguard Platform FAQ: Software Supply Chain Security Answered
A plain-English FAQ about the Safeguard platform — what it covers, how the pieces fit together, and how it differs from a traditional scanner-plus-dashboard stack.
Software Supply Chain Security FAQ: 2026 Answers
Plain answers to the most common questions about software supply chain security in 2026 — what it covers, why SBOMs matter, how SLSA and provenance fit, and where to start.
Understanding dependency confusion via npm package aliasing
npm's `npm:` alias syntax lets a trusted-looking dependency name resolve to attacker-controlled code — here's how that becomes dependency confusion, and how to detect it.