software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
The False Sense of Security Effect in AI-Assisted Develop...
AI coding assistants make developers write faster and trust more — even when the code is less secure. Here's what the data shows, and how to close the gap.
How AI Code Generation Is Changing the Shape of the OWASP...
AI coding assistants are quietly reshuffling the OWASP Top Ten, elevating software supply chain risk and reviving old injection bugs at machine speed.
Common Insecure Suggestions in SQL and Auth Code from AI ...
Across studies from Stanford to BaxBench, AI assistants keep suggesting string-concatenated SQL and hardcoded JWT secrets. Here is the pattern, by the numbers.
Governance Frameworks Emerging for AI-Assisted Software D...
NIST, ISO 42001, and the EU AI Act now shape how teams must govern AI-generated code. Here's what an AI code governance framework actually requires in practice.
What Is a Lockfile?
A lockfile pins the exact versions and hashes of every dependency your build resolves. Here is how lockfiles make builds reproducible and why they are central to supply chain integrity.
Sidecar Proxies and the Expanding Attack Surface of Servi...
Sidecar proxies like Envoy quietly double your cluster's attack surface. Real CVEs from 2023–2024 show how mesh sidecars get exploited — and how to actually secure them.
Why Malicious Package Counts Are Rising Faster Than Detec...
Malicious packages hit 245,000+ in 2023 alone, outpacing 2019-2022 combined. Here's why detection tooling can't keep up, and how the gap actually closes.
Post-Install Scripts: The Overlooked Execution Point Atta...
Postinstall scripts run automatically on `npm install` with full user privileges—no review required. Here's how attackers exploit them, from ua-parser-js to Shai-Hulud.
Protestware and Sabotage: When Maintainers Turn Against T...
Protestware turns trusted maintainers into insider threats. See how node-ipc, colors.js, and left-pad became sabotage vectors, and how Safeguard catches the next one.
Comparing Malicious Package Tactics Across npm, PyPI, Rub...
npm, PyPI, RubyGems, and crates.io each get hit by malicious packages differently. Real incidents from 2018-2025 show how attacker tactics shift by ecosystem.
The Economics of Publishing Fake Packages at Scale
Publishing a malicious package costs an attacker almost nothing while payouts run into the millions. Here's the cost-benefit math behind fake packages — and how to break it.
Supply Chain Worming: Self-Propagating Malicious Packages...
How the Shai-Hulud npm worm self-propagated across 500+ packages in 48 hours by stealing tokens and republishing itself — and how to stop the next one.