supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Japan METI's SBOM Guidance: What Software Vendors Need to Know
METI's SBOM guidance has no legal teeth, yet Ver. 2.0 already shapes procurement at Japan's largest manufacturers and critical-infrastructure buyers.
Wiring dependency and SAST scanning into your JavaScript CLI workflow
npm audit has shipped for free since npm 6 in 2018, yet most JavaScript teams still find out about vulnerable dependencies in a Slack alert, not a failed commit.
Why static scanners miss malicious AI agent skills
In April 2025, Invariant Labs showed a malicious MCP tool description could exfiltrate an SSH key — with zero suspicious code for a static scanner to flag.
How Malicious Skills Get Distributed Through Agent Registries
CVE-2025-59536 (CVSS 8.7) let a single malicious commit auto-approve MCP servers in Claude Code, no install click required. Registries need the same controls as package managers.
Mapping the blast radius of a vulnerable AI infrastructure dependency
One Ray dashboard flaw let attackers hit hundreds of exposed AI servers. SBOM plus call-graph data is how you find every service that shares the exposure.
The Moq NuGet incident: how a mocking library harvested developer emails
In August 2023, Moq v4.20.0 quietly ran git config at build time and phoned home 10,356 times before anyone pulled it — via a dependency nobody vetted.
The node-ipc protestware incident, four years later: a checklist for maintainer-inserted risk
In March 2022 a legitimate node-ipc maintainer shipped code that wiped files based on IP geolocation. CVE-2022-23812 still has no patch for the real problem.
Node.js backend architecture patterns for 2026
Node 22 shipped a stable permission model and npm has supported provenance since 2023 — yet the September 2025 Shai-Hulud worm still spread through unpinned installs.
Node.js vs Deno vs Bun: comparing their security models
Only one of the three major JavaScript runtimes denies system access by default — Node's permission model only went stable in v23.5.0, and Bun still has none.
The security case for Node.js's newer runtime features
Node's permission model went stable in v23.5.0, the built-in test runner in v20 — both quietly shrink attack surface, but neither is the sandbox teams assume it is.
How npm's default install behavior leaked macOS text-replacement secrets
npm auto-runs postinstall scripts with zero prompts on every install — a design choice Snyk showed in June 2023 can pull sensitive data out of macOS defaults.
The string-width-cjs npm packages: a supply chain warm-up, not a breach
One of three empty npm packages aliasing real libraries reached 500+ dependents and 7,274 weekly downloads — with no malicious code found at all.