Safeguard
Tag

software-supply-chain

Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.

526 articles

Industry Analysis

The False Sense of Security Effect in AI-Assisted Develop...

AI coding assistants make developers write faster and trust more — even when the code is less secure. Here's what the data shows, and how to close the gap.

Aug 6, 20257 min read
Industry Analysis

How AI Code Generation Is Changing the Shape of the OWASP...

AI coding assistants are quietly reshuffling the OWASP Top Ten, elevating software supply chain risk and reviving old injection bugs at machine speed.

Aug 6, 20257 min read
Industry Analysis

Common Insecure Suggestions in SQL and Auth Code from AI ...

Across studies from Stanford to BaxBench, AI assistants keep suggesting string-concatenated SQL and hardcoded JWT secrets. Here is the pattern, by the numbers.

Aug 6, 20258 min read
Regulatory Compliance

Governance Frameworks Emerging for AI-Assisted Software D...

NIST, ISO 42001, and the EU AI Act now shape how teams must govern AI-generated code. Here's what an AI code governance framework actually requires in practice.

Aug 6, 20258 min read
Concepts

What Is a Lockfile?

A lockfile pins the exact versions and hashes of every dependency your build resolves. Here is how lockfiles make builds reproducible and why they are central to supply chain integrity.

Aug 5, 20255 min read
Container Security

Sidecar Proxies and the Expanding Attack Surface of Servi...

Sidecar proxies like Envoy quietly double your cluster's attack surface. Real CVEs from 2023–2024 show how mesh sidecars get exploited — and how to actually secure them.

Aug 3, 20257 min read
Open Source Security

Why Malicious Package Counts Are Rising Faster Than Detec...

Malicious packages hit 245,000+ in 2023 alone, outpacing 2019-2022 combined. Here's why detection tooling can't keep up, and how the gap actually closes.

Aug 2, 20258 min read
Open Source Security

Post-Install Scripts: The Overlooked Execution Point Atta...

Postinstall scripts run automatically on `npm install` with full user privileges—no review required. Here's how attackers exploit them, from ua-parser-js to Shai-Hulud.

Aug 1, 20258 min read
Open Source Security

Protestware and Sabotage: When Maintainers Turn Against T...

Protestware turns trusted maintainers into insider threats. See how node-ipc, colors.js, and left-pad became sabotage vectors, and how Safeguard catches the next one.

Aug 1, 20257 min read
Buyer's Guides

Comparing Malicious Package Tactics Across npm, PyPI, Rub...

npm, PyPI, RubyGems, and crates.io each get hit by malicious packages differently. Real incidents from 2018-2025 show how attacker tactics shift by ecosystem.

Aug 1, 20257 min read
Open Source Security

The Economics of Publishing Fake Packages at Scale

Publishing a malicious package costs an attacker almost nothing while payouts run into the millions. Here's the cost-benefit math behind fake packages — and how to break it.

Jul 31, 20256 min read
Open Source Security

Supply Chain Worming: Self-Propagating Malicious Packages...

How the Shai-Hulud npm worm self-propagated across 500+ packages in 48 hours by stealing tokens and republishing itself — and how to stop the next one.

Jul 31, 20257 min read
software-supply-chain (Page 40) — Safeguard Blog