Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1040 articles

Supply Chain Attacks

Anatomy of the Codecov Bash Uploader compromise

A single altered line in Codecov's Bash Uploader ran undetected for 65 days, siphoning CI secrets from thousands of pipelines before anyone noticed.

Jul 16, 20266 min read
AI Security

The Cursor extension that cost a developer $500,000

A fake Solidity extension on Open VSX was downloaded 50,000+ times, dropped an infostealer, and drained $500K in crypto — how the marketplace trust model failed.

Jul 16, 20266 min read
Application Security

Finding vulnerable code hidden inside shaded and uber JARs

JFrog found 65% of Log4Shell-affected artifacts embedded raw .class files instead of a jar — invisible to scanners that only read pom.xml metadata.

Jul 16, 20266 min read
Supply Chain Security

Do Not Pass GO: Malicious Golang Package Alert

A typosquat of boltdb/bolt stayed cached on Go's module proxy for roughly three years after its source repo was cleaned up — proxy caching beats takedowns.

Jul 16, 20266 min read
Container Security

OCI Image Labels and Annotations: A Practical Guide to Provenance and SBOM Linkage

OCI defines 14 standard org.opencontainers.image.* annotation keys, but labels are unsigned metadata — anyone with build access can forge them.

Jul 16, 20266 min read
Container Security

Minimal, Non-Root Docker Images for Python: A Best-Practices Guide

CVE-2019-5736 let a malicious container overwrite the host runc binary via root access. Here's how multi-stage, non-root builds close that door for Python apps.

Jul 16, 20266 min read
Supply Chain Attacks

The elementary-data hijack: when a dbt observability tool became a credential harvester

A hijacked GitHub Actions token let attackers publish a backdoored elementary-data release that stole cloud, warehouse, and SSH credentials.

Jul 16, 20266 min read
Supply Chain Attacks

The eslint-config-prettier npm compromise: when phishing beats your SCA scanner

A phishing email spoofing npm support hijacked a maintainer's account and poisoned eslint-config-prettier, a package with roughly 30 million weekly downloads.

Jul 16, 20266 min read
AI Security

When the Scanner Is the Backdoor: The LiteLLM Trivy Attack

On March 19, 2026, TeamPCP hijacked Trivy's GitHub Action to steal LiteLLM's PyPI token, then shipped a backdoored release, CVE-2026-33634, CVSS 9.4.

Jul 16, 20266 min read
Supply Chain Attacks

npm package aliasing: the dependency confusion attack surface most teams never scan

npm's alias@npm:target syntax lets an attacker capture a name that doesn't even exist yet on the registry — widening dependency confusion past simple squatting.

Jul 16, 20266 min read
AI Security

The Nx Attack Turned AI Coding Agents Into the Malware

In August 2025, attackers hijacked Nx's npm publish token and used Claude Code, Gemini CLI, and Amazon Q as the exfiltration engine — leaking 2,349 secrets.

Jul 16, 20266 min read
AI Security

The postmark-mcp Backdoor: What MCP Server Vetting Should Look Like

A trojanized MCP server BCC'd every email it sent to an attacker for weeks, downloaded 1,643 times, before anyone noticed. Here's the pattern and the fix.

Jul 16, 20267 min read
supply-chain-security — Safeguard Blog