Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Compliance & Frameworks

Japan METI's SBOM Guidance: What Software Vendors Need to Know

METI's SBOM guidance has no legal teeth, yet Ver. 2.0 already shapes procurement at Japan's largest manufacturers and critical-infrastructure buyers.

Jul 8, 20267 min read
Application Security

Wiring dependency and SAST scanning into your JavaScript CLI workflow

npm audit has shipped for free since npm 6 in 2018, yet most JavaScript teams still find out about vulnerable dependencies in a Slack alert, not a failed commit.

Jul 8, 20267 min read
AI Security

Why static scanners miss malicious AI agent skills

In April 2025, Invariant Labs showed a malicious MCP tool description could exfiltrate an SSH key — with zero suspicious code for a static scanner to flag.

Jul 8, 20266 min read
Supply Chain Attacks

How Malicious Skills Get Distributed Through Agent Registries

CVE-2025-59536 (CVSS 8.7) let a single malicious commit auto-approve MCP servers in Claude Code, no install click required. Registries need the same controls as package managers.

Jul 8, 20266 min read
AI Security

Mapping the blast radius of a vulnerable AI infrastructure dependency

One Ray dashboard flaw let attackers hit hundreds of exposed AI servers. SBOM plus call-graph data is how you find every service that shares the exposure.

Jul 8, 20266 min read
Supply Chain Attacks

The Moq NuGet incident: how a mocking library harvested developer emails

In August 2023, Moq v4.20.0 quietly ran git config at build time and phoned home 10,356 times before anyone pulled it — via a dependency nobody vetted.

Jul 8, 20266 min read
Open Source Security

The node-ipc protestware incident, four years later: a checklist for maintainer-inserted risk

In March 2022 a legitimate node-ipc maintainer shipped code that wiped files based on IP geolocation. CVE-2022-23812 still has no patch for the real problem.

Jul 8, 20266 min read
Best Practices

Node.js backend architecture patterns for 2026

Node 22 shipped a stable permission model and npm has supported provenance since 2023 — yet the September 2025 Shai-Hulud worm still spread through unpinned installs.

Jul 8, 20267 min read
Application Security

Node.js vs Deno vs Bun: comparing their security models

Only one of the three major JavaScript runtimes denies system access by default — Node's permission model only went stable in v23.5.0, and Bun still has none.

Jul 8, 20266 min read
Application Security

The security case for Node.js's newer runtime features

Node's permission model went stable in v23.5.0, the built-in test runner in v20 — both quietly shrink attack surface, but neither is the sandbox teams assume it is.

Jul 8, 20267 min read
Supply Chain Attacks

How npm's default install behavior leaked macOS text-replacement secrets

npm auto-runs postinstall scripts with zero prompts on every install — a design choice Snyk showed in June 2023 can pull sensitive data out of macOS defaults.

Jul 8, 20266 min read
Supply Chain Attacks

The string-width-cjs npm packages: a supply chain warm-up, not a breach

One of three empty npm packages aliasing real libraries reached 500+ dependents and 7,274 weekly downloads — with no malicious code found at all.

Jul 8, 20265 min read
supply-chain-security (Page 11) — Safeguard Blog