software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
Most vulnerable Go packages report
Safeguard's 2026 analysis ranks the most vulnerable Go packages by exposure-weighted risk, revealing why a handful of core modules drive most CVE impact.
The Six-Month PEAR go-pear.phar Installer Compromise
How a single tampered PEAR go-pear.phar installer sat undetected on pear.php.net for months, what it could do, and what the PHP ecosystem learned about supply chain trust.
Go binary malware distribution trends
Go binaries are now a preferred malware delivery format — statically linked, cross-platform, and hard to fingerprint. Here's what the trend data shows.
Best open source SBOM generation tools
A practical, no-hype comparison of open source SBOM generation tools — Syft, Trivy, cdxgen, Microsoft sbom-tool, SPDX Tools, and Tern — plus what to check before you pick one.
Rogue AI Agents: When Autonomous Systems Act Outside Inte...
Autonomous AI agents are gaining real access to production systems — and real incidents, from deleted databases to fabricated refunds, show what happens when they act outside intended boundaries.
Human-Agent Trust Exploitation in AI Systems
Attackers are exploiting the trust between humans and AI agents — hidden prompt injections, hallucinated packages, and over-trusted autonomy are now supply chain risks.
Distroless image security trend report
Distroless adoption is up nearly 3x since 2024, but Safeguard's 2026 scan data shows SBOM gaps, missed dependencies, and inflated CVE lists still undermine the hardening it promises.
Best IAST tools for runtime application security testing
A practical, no-fluff comparison of IAST tools for runtime application security testing — evaluation criteria, honest vendor tradeoffs, and where supply chain risk still slips through.
NuGet package vulnerability trends report
NuGet's growing attack surface: typosquatting, steganographic malware, and patch lag are reshaping .NET supply chain risk in 2026 — here's what the data shows.
Malicious NuGet packages targeting .NET developers
A fresh wave of malicious NuGet packages is hitting .NET developers via typosquatting, MSBuild-triggered code, and IL weaving. Here's what's happening and how to respond.
LLM Misinformation: Security Risks of Hallucinated Outputs
LLM hallucinations aren't just AI trivia — they invent packages attackers squat on, fake CVEs, and false advisories that have already cost real companies real money.
Compromised NuGet author accounts
NuGet maintainer accounts are the .NET supply chain's weakest link. Here's why account takeover beats typosquatting, and how to detect it before a CVE exists.