Safeguard
Tag

software-supply-chain-security

Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

494 articles

Threat Research

What Is a Malicious Package? Supply-Chain Malware in Open Source

A malicious package is an open-source component built or altered to run attacker code on install or at runtime. Here is how they work, real npm and PyPI cases, and how to defend.

Jul 1, 20266 min read
Threat Research

What Is a Software Supply Chain Attack? Explained

A software supply chain attack compromises the code, tools, or pipeline your software depends on — not the product itself. Here is how it works and how to defend.

Jul 1, 20267 min read
Compliance

What is the EU Cyber Resilience Act (CRA)? A software supply chain guide

The Cyber Resilience Act sets binding cybersecurity rules for products with digital elements sold in the EU. Here's who it covers, what it demands of software, and how to prepare before the 2027 deadline.

Jul 1, 20266 min read
Software Supply Chain Security

Software supply chain attack statistics and trends report

Software supply chain attacks keep climbing year over year. Here are the stats, incidents, and trends security teams need to know in 2026.

Jul 1, 20268 min read
Product

GitHub for Beginners: getting started with GitHub securit...

A beginner's guide to GitHub's free security tools, what GitHub Advanced Security actually adds, its 2025 pricing shift, and the supply chain gaps neither one covers.

Jun 30, 20267 min read
Software Supply Chain Security

A forgotten contributor account compromised the Mastra npm scope

A dormant npm account with unrevoked publish rights let attackers trojanize 144 @mastra packages in 88 minutes, dropping a crypto-wallet RAT tied to Sapphire Sleet.

Jun 30, 20266 min read
Software Supply Chain Security

ESLint config-prettier maintainer npm account compromise

A phished maintainer account turned eslint-config-prettier and four sibling npm packages into a malicious install-time payload — here's what happened and how to check exposure.

Jun 29, 20266 min read
Software Supply Chain Security

Understanding the software supply chain attack surface

SolarWinds, Log4Shell, and XZ Utils show the software supply chain attack surface is bigger than any single scan. Here's how to actually map and shrink it.

Jun 29, 20267 min read
Software Supply Chain Security

GitHub dependency graph and dependency review explained

How GitHub Dependency Graph and Dependency Review actually work, what GitHub Advanced Security adds on top, and where the coverage gaps are for teams relying on manifest-only scanning.

Jun 29, 20267 min read
Software Supply Chain Security

Preventing malicious packages with automated detection

Malicious npm and PyPI packages skip CVEs entirely. Here's how attackers get them published and how automated detection catches them before they ship.

Jun 29, 20266 min read
Software Supply Chain Security

License compliance checks for open source dependencies on...

GitHub Advanced Security scans for vulnerabilities, not license risk. Here's what real open source license compliance requires—and where GHAS falls short.

Jun 29, 20267 min read
Software Supply Chain Security

SBOM export in GitHub: generating a software bill of mate...

GitHub lets you export an SPDX SBOM in two clicks, but the file only reflects what its dependency graph can see. Here's what's missing and how Safeguard fills it.

Jun 28, 20266 min read
software-supply-chain-security (Page 5) — Safeguard Blog