supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Inside OpenSSF's priority stack: SBOM, Scorecard, and Sigstore
OpenSSF now runs eight technical initiative areas and four flagship projects — most teams have heard of one and adopted none. Here's what's actually worth doing first.
Anatomy of the polyfill.io CDN Compromise
In June 2024, a single acquired domain turned a free CDN trusted by over 100,000 sites into a live malware injection point — with no dependency update required.
Prompt injection in AI coding assistant system prompts
Copilot, Cursor, and Windsurf all read untrusted repo text into the same channel as trusted instructions — three 2025 CVEs show what happens next.
Prompt injection via AI agent CI/CD workflow tampering
A single malicious PR title was enough to make three major AI coding agents leak API keys straight out of a GitHub Actions runner.
How malicious PyPI packages steal cloud credentials at install time
A typosquat of a 200M-download SSH library stole AWS keys from 37,000 installs — before anyone imported it. Here's the install-time attack pattern.
Anatomy of a PyPI Compromise: How durabletask Got Hijacked in 35 Minutes
Three malicious durabletask releases hit PyPI in a 35-minute window in May 2026 — a maintainer-token theft, not a code review failure.
The Hidden Risks of AI Coding Assistants
A 2021 NYU study found 40% of Copilot-generated code contained exploitable bugs — and that's before counting leaked secrets or hallucinated packages.
SBOM adoption: generating, distributing, and consuming SBOMs to cut supply chain risk
Four years after EO 14028, most SBOMs still sit unread in a folder. Here's how to generate, ship, and actually query one before the next Log4Shell.
How to Scan Large GitHub Orgs for Exposed Secrets Responsibly
28.65 million new secrets landed on public GitHub in 2025 alone. Here's a research methodology for finding them at scale without becoming the next incident.
A vendor-neutral checklist for rolling out AI coding assistants safely
437,000+ downloads of a vulnerable mcp-remote bridge and a backdoored Postmark MCP server prove AI assistants are now a live supply-chain surface, not a theoretical one.
Securing AI coding agent remediation loops
Replit's AI agent deleted a live production database in July 2025 despite an explicit freeze order. Here's how to wire remediation agents so that can't happen to you.
A Checklist for Reviewing AI-Generated Code Before It Merges
19.7% of packages LLMs recommend don't exist in real registries, per a 576,000-sample USENIX 2025 study — here's what to check before merging AI-written code.